lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1875149244.42513201.1458742923505.JavaMail.zimbra@redhat.com>
Date: Wed, 23 Mar 2016 10:22:03 -0400 (EDT)
From: Ken Giusti <kgiusti@...hat.com>
To: users@...d.apache, Qpid Developers <dev@...d.apache.org>,
  announce@...che.org, security@...che.org, bugtraq@...urityfocus.com
Subject: CVE-2016-2166: Apache Qpid Proton python binding silently ignores
 request for  'amqps' if SSL/TLS not supported


    Apache Software Foundation - Security Advisory

 Apache Qpid Proton python binding silently ignores request for
 'amqps' if SSL/TLS not supported.

 CVE-2016-2166  CVS: 5.7

 Severity: Moderate

 Vendor:

 The Apache Software Foundation

 Versions Affected:

 Apache Qpid Proton python API starting at 0.9 up to and including
 version 0.12.0.

 Description:

 Messaging applications using the Proton Python API to provision an
 SSL/TLS encrypted TCP connection may actually instantiate a
 non-encrypted connection without notice if SSL support is unavailable.
 This will result in all messages being sent in the clear without the
 knowledge of the user.

 This issue affects those applications that use the Proton Reactor
 Python API to create SSL/TLS connections.  Specifically the
 proton.reactor.Connector, proton.reactor.Container, and
 proton.utils.BlockingConnection classes are vulnerable.  These classes
 can create an unencrypted connections if the "amqps://" URL prefix is
 used.

 The issue only occurs if the installed Proton libraries do not support
 SSL. This would be the case if the libraries were built without SSL
 support or the necessary SSL libraries are not present on the system
 (e.g. OpenSSL in the case of *nix).

 To check whether or not the Python API provides SSL support, use the
 following console command:

 python -c "import proton; print('%s' % 'SSL present' if proton.SSL.present() else 'SSL NOT AVAILBLE')"

 In addition, the issue can only occur if both ends of the connection
 connect without SSL.  This would be the case if the vulnerability is
 active on both ends of the connection, or the non-affected endpoint
 allows cleartext connections.

 Solution:

 Proton release 0.12.1 resolves this issue by raising an SSLUnavailable
 exception when SSL is not available and a SSL/TLS connection is
 requested via the "amqps://" URL prefix.

 The 0.12.1 release can be downloaded via the website:

 http://qpid.apache.org/releases/qpid-proton-0.12.1

 A patch is also available:

 https://issues.apache.org/jira/browse/PROTON-1157

 Common Vulnerability Score information:

 This issue facilitates a Man-in-the-middle attack.  All communications
 passing over the connection can be snooped and/or modified by a third
 party.

 Credit:

 This issue was discovered by M. Farrellee from Red Hat.

 Common Vulnerability Score information:

 CVSS Base Score          5.8
 Impact Subscore          4.9
 Exploitability Subscore  8.6
 CVSS Temporal Score      5
 CVSS Environmental Score 5.7
 Modified Impact Subscore 6
 Overall CVSS Score       5.7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ