製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache Qpid Proton の複数のクラスにおける重要な情報を取得される脆弱性

Title	Apache Qpid Proton の複数のクラスにおける重要な情報を取得される脆弱性
Summary	Apache Qpid Proton の (1) proton.reactor.Connector、(2) proton.reactor.Container、および (3) proton.utils.BlockingConnection クラスは、 SSL サポートが無効の場合、amqps URI スキームの暗号化されていない接続を適切に使用しないため、重要な情報を取得される、またはデータを変更される脆弱性が存在します。
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、重要な情報を取得され、データを変更される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 9, 2016, midnight
Registration Date	April 18, 2016, 5:37 p.m.
Last Update	April 18, 2016, 5:37 p.m.

Affected System

Apache Software Foundation

Qpid Proton 0.12.1 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-2166	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2166
National Vulnerability Database (NVD)
2	CVE-2016-2166	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2166

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html

ベンダー情報

No	Name	URL
Apache Qpid
1	Qpid Proton 0.12.1 Release Notes	http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
ASF Git Repos
2	PROTON-1157: fail if amqps: scheme is specified but SSL is not available	https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585
ASF JIRA
3	[PROTON-1157] Reactor sends messages in the clear if ssl is requested but not available.	https://issues.apache.org/jira/browse/PROTON-1157

Change Log

No	Changed Details	Date of change
0	[2016年04月18日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-2166

Summary	The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
Publication Date	April 12, 2016, 11:59 p.m.
Registration Date	Jan. 26, 2021, 2:08 p.m.
Last Update	Nov. 21, 2024, 11:47 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:qpid_proton::::::::			0.12.0

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:23:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html	Third Party Advisory
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html	Third Party Advisory
3	http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html	Third Party Advisory
4	http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html	Third Party Advisory
5	http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html	Patch Vendor Advisory
6	http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html	Patch Vendor Advisory
7	http://www.securityfocus.com/archive/1/537864/100/0/threaded
8	http://www.securityfocus.com/archive/1/537864/100/0/threaded
9	https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
10	https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
11	https://issues.apache.org/jira/browse/PROTON-1157	Issue Tracking
12	https://issues.apache.org/jira/browse/PROTON-1157	Issue Tracking
13	https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
14	https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Common Vulnerabilities List