NVD Vulnerability Detail

CVE-2018-17187

Summary	The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise.
Publication Date	Nov. 14, 2018, 12:29 a.m.
Registration Date	March 1, 2021, 7:06 p.m.
Last Update	Nov. 21, 2024, 12:54 p.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:apache:qpid_proton-j::::::::		0.3	0.29.0

Related information, measures and tools

No	URL	タグ
1	http://www.securityfocus.com/bid/105935	Third Party Advisory VDB Entry
2	http://www.securityfocus.com/bid/105935	Third Party Advisory VDB Entry
3	https://issues.apache.org/jira/browse/PROTON-1962	Vendor Advisory
4	https://issues.apache.org/jira/browse/PROTON-1962	Vendor Advisory
5	https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E	Mailing List Mitigation Vendor Advisory
6	https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E	Mailing List Mitigation Vendor Advisory
7	https://qpid.apache.org/cves/CVE-2018-17187.html	Mitigation Vendor Advisory
8	https://qpid.apache.org/cves/CVE-2018-17187.html	Mitigation Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html

JVN Vulnerability Information

Apache Qpid Proton-J における証明書検証に関する脆弱性

Title	Apache Qpid Proton-J における証明書検証に関する脆弱性
Summary	Apache Qpid Proton-J には、証明書検証に関する脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 12, 2018, midnight
Registration Date	March 13, 2019, 5:42 p.m.
Last Update	March 13, 2019, 5:42 p.m.

Affected System

Apache Software Foundation

Apache Qpid Broker-J 0.3 から 0.29.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Apache Qpid
1	CVE-2018-17187	https://qpid.apache.org/cves/CVE-2018-17187.html
Common Vulnerabilities and Exposures (CVE)
2	CVE-2018-17187	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17187
National Vulnerability Database (NVD)
3	CVE-2018-17187	https://nvd.nist.gov/vuln/detail/CVE-2018-17187

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-295	https://cwe.mitre.org/data/definitions/295.html

ベンダー情報

No	Name	URL
Apache Software Foundation
1	[SECURITY] [CVE-2018-17187] Apache Qpid Proton-J transport TLS wrapper hostname verification mode not implemented	https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E
ASF JIRA
2	PROTON-1962	https://issues.apache.org/jira/browse/PROTON-1962

Change Log

No	Changed Details	Date of change
1	[2019年03月13日] 掲載	March 13, 2019, 5:42 p.m.