{"containers":{"cna":{"affected":[{"product":"Apache Qpid Proton-J","vendor":"Apache Software Foundation","versions":[{"status":"affected","version":"Apache Qpid Proton-J 0.3 to 0.29.0"}]}],"datePublic":"2018-11-13T00:00:00.000Z","descriptions":[{"lang":"en","value":"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."}],"problemTypes":[{"descriptions":[{"description":"Hostname verification support not implemented, exception thrown if configured.","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2018-11-16T10:57:01.000Z","orgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","shortName":"apache"},"references":[{"tags":["x_refsource_MISC"],"url":"https://issues.apache.org/jira/browse/PROTON-1962"},{"name":"105935","tags":["vdb-entry","x_refsource_BID"],"url":"http://www.securityfocus.com/bid/105935"},{"tags":["x_refsource_MISC"],"url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"},{"tags":["x_refsource_MISC"],"url":"https://qpid.apache.org/cves/CVE-2018-17187.html"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2018-17187","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Qpid Proton-J","version":{"version_data":[{"version_value":"Apache Qpid Proton-J 0.3 to 0.29.0"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Hostname verification support not implemented, exception thrown if configured."}]}]},"references":{"reference_data":[{"name":"https://issues.apache.org/jira/browse/PROTON-1962","refsource":"MISC","url":"https://issues.apache.org/jira/browse/PROTON-1962"},{"name":"105935","refsource":"BID","url":"http://www.securityfocus.com/bid/105935"},{"name":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E","refsource":"MISC","url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"},{"name":"https://qpid.apache.org/cves/CVE-2018-17187.html","refsource":"MISC","url":"https://qpid.apache.org/cves/CVE-2018-17187.html"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-05T10:39:59.671Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://issues.apache.org/jira/browse/PROTON-1962"},{"name":"105935","tags":["vdb-entry","x_refsource_BID","x_transferred"],"url":"http://www.securityfocus.com/bid/105935"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"},{"tags":["x_refsource_MISC","x_transferred"],"url":"https://qpid.apache.org/cves/CVE-2018-17187.html"}]}]},"cveMetadata":{"assignerOrgId":"f0158376-9dc2-43b6-827c-5f631a4d8d09","assignerShortName":"apache","cveId":"CVE-2018-17187","datePublished":"2018-11-13T15:00:00.000Z","dateReserved":"2018-09-19T00:00:00.000Z","dateUpdated":"2024-08-05T10:39:59.671Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}