what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Apache Qpid Proton 0.12.0 SSL Failure

Apache Qpid Proton 0.12.0 SSL Failure
Posted Mar 23, 2016
Authored by M. Farrellee

Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user. Apache Qpid Proton python API versions starting at 0.9 and up to 0.12.0 are affected.

tags | advisory, tcp, python
advisories | CVE-2016-2166
SHA-256 | 68f91e3dd01e746dfc1937199c650b9c4fab137baa29178d81db86380e0218cd

Apache Qpid Proton 0.12.0 SSL Failure

Change Mirror Download

Apache Software Foundation - Security Advisory

Apache Qpid Proton python binding silently ignores request for
'amqps' if SSL/TLS not supported.

CVE-2016-2166 CVS: 5.7

Severity: Moderate

Vendor:

The Apache Software Foundation

Versions Affected:

Apache Qpid Proton python API starting at 0.9 up to and including
version 0.12.0.

Description:

Messaging applications using the Proton Python API to provision an
SSL/TLS encrypted TCP connection may actually instantiate a
non-encrypted connection without notice if SSL support is unavailable.
This will result in all messages being sent in the clear without the
knowledge of the user.

This issue affects those applications that use the Proton Reactor
Python API to create SSL/TLS connections. Specifically the
proton.reactor.Connector, proton.reactor.Container, and
proton.utils.BlockingConnection classes are vulnerable. These classes
can create an unencrypted connections if the "amqps://" URL prefix is
used.

The issue only occurs if the installed Proton libraries do not support
SSL. This would be the case if the libraries were built without SSL
support or the necessary SSL libraries are not present on the system
(e.g. OpenSSL in the case of *nix).

To check whether or not the Python API provides SSL support, use the
following console command:

python -c "import proton; print('%s' % 'SSL present' if proton.SSL.present() else 'SSL NOT AVAILBLE')"

In addition, the issue can only occur if both ends of the connection
connect without SSL. This would be the case if the vulnerability is
active on both ends of the connection, or the non-affected endpoint
allows cleartext connections.

Solution:

Proton release 0.12.1 resolves this issue by raising an SSLUnavailable
exception when SSL is not available and a SSL/TLS connection is
requested via the "amqps://" URL prefix.

The 0.12.1 release can be downloaded via the website:

http://qpid.apache.org/releases/qpid-proton-0.12.1

A patch is also available:

https://issues.apache.org/jira/browse/PROTON-1157

Common Vulnerability Score information:

This issue facilitates a Man-in-the-middle attack. All communications
passing over the connection can be snooped and/or modified by a third
party.

Credit:

This issue was discovered by M. Farrellee from Red Hat.

Common Vulnerability Score information:

CVSS Base Score 5.8
Impact Subscore 4.9
Exploitability Subscore 8.6
CVSS Temporal Score 5
CVSS Environmental Score 5.7
Modified Impact Subscore 6
Overall CVSS Score 5.7
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close