[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-33683: Apache Pulsar: Disabled Certificate Validation makes Broker, Proxy Ad
From:       Michael Marshall <mmarshall () apache ! org>
Date:       2022-09-22 17:45:36
Message-ID: 182c53cf-4478-dd22-915b-b54f8c8f21b0 () apache ! org
[Download RAW message or body]

Severity: high

Description:

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client =
that does not verify peer TLS certificates, even when =
tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin =
Client's intra-cluster and geo-replication HTTPS connections are vulnerable=
 to man in the middle attacks, which could leak authentication data, =
configuration data, and any other data sent by these clients.

An attacker can only take advantage of this vulnerability by taking control=
 of a machine 'between' the client and the server. The attacker must then =
actively manipulate traffic to perform the attack.

This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; =
2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Mitigation:

Any users running affected versions of the Pulsar Broker or Pulsar Proxy =
should rotate static authentication data vulnerable to man in the middle =
attacks used by these applications, including tokens and passwords.

2.7 users should upgrade Pulsar Brokers and Proxies to 2.7.5, and rotate =
vulnerable authentication data, including tokens and passwords.
2.8 users should upgrade Pulsar Brokers and Proxies to 2.8.4, and rotate =
vulnerable authentication data, including tokens and passwords.
2.9 users should upgrade Pulsar Brokers and Proxies to 2.9.3, and rotate =
vulnerable authentication data, including tokens and passwords.
2.10 users should upgrade Pulsar Brokers and Proxies to 2.10.1, and rotate =
vulnerable authentication data, including tokens and passwords.
Any users running Pulsar Brokers and Proxies for 2.6 and earlier should =
upgrade to one of the above patched versions, and rotate vulnerable =
authentication data, including tokens and passwords.

In addition to upgrading, it is also necessary to enable hostname =
verification to prevent man in the middle attacks. Please see =
CVE-2022-33682 for more information.

Credit:

This issue was discovered by Michael Marshall of DataStax.

[prev in list] [next in list] [prev in thread] [next in thread]