admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-06-12 02:05:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

Apache Pulsar

Browse Source
This commit is contained in:
Mark J. Cox 2022-09-23 10:23:48 +01:00
parent 8fa3966f47
commit 21b07d89f0
No known key found for this signature in database
GPG Key ID: 2039C75CCA6545AB
4 changed files with 379 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

98
2022/24xxx/CVE-2022-24280.json
View File

@ -1,18 +1,102 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-24280",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Apache Pulsar Proxy target broker address isn't validated"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Pulsar",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "2.7",
"version_value": "2.7.4"
},
{
"version_affected": "<=",
"version_name": "2.8",
"version_value": "2.8.2"
},
{
"version_affected": "<=",
"version_name": "2.9",
"version_value": "2.9.1"
},
{
"version_affected": "<=",
"version_name": "2.6 and earlier",
"version_value": "2.6.4"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Lari Hotari of DataStax."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Improper Input Validation vulnerability in Proxy component of Apache Pulsar allows an attacker to make TCP/IP connection attempts that originate from the Pulsar Proxy's IP address.\n\nWhen the Apache Pulsar Proxy component is used, it is possible to attempt to open TCP/IP connections to any IP address and port that the Pulsar Proxy can connect to. An attacker could use this as a way for DoS attacks that originate from the Pulsar Proxy's IP address.\nIt hasnt been detected that the Pulsar Proxy authentication can be bypassed. The attacker will have to have a valid token to a properly secured Pulsar Proxy.\n\nThis issue affects Apache Pulsar Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.2; 2.9.0 to 2.9.1; 2.6.4 and earlier."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "important"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20 Improper Input Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/ghs9jtjfbpy4c6xcftyvkl6swznlom1v"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "To address the issue, upgraded versions of Apache Pulsar Proxy will only allow connections to known broker ports 6650 and 6651 by default. In addition, it is necessary to limit proxied broker connections further to known broker addresses by specifying brokerProxyAllowedHostNames and brokerProxyAllowedIPAddresses Pulsar Proxy settings. In Pulsar Helm chart deployments, the setting names should be prefixed with \"PULSAR_PREFIX_\".\n\n2.7 users should upgrade Pulsar Proxies to 2.7.5 and apply configuration changes.\n2.8 users should upgrade Pulsar Proxies to at least 2.8.3 and apply configuration changes.\n2.9 users should upgrade Pulsar Proxies to at least 2.9.2 and apply configuration changes.\n2.10 users should apply configuration changes.\nAny users running the Pulsar Proxy 2.6.4 and earlier should upgrade to one of the above patched versions and apply configuration changes."
}
]
}

103
2022/33xxx/CVE-2022-33681.json
View File

@ -1,18 +1,107 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-33681",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Improper Hostname Verification in Java Client and Proxy can expose authentication data via MITM"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Pulsar",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "2.7",
"version_value": "2.7.4"
},
{
"version_affected": "<=",
"version_name": "2.8",
"version_value": "2.8.3"
},
{
"version_affected": "<=",
"version_name": "2.9",
"version_value": "2.9.2"
},
{
"version_affected": "=",
"version_name": "2.10",
"version_value": "2.10.0"
},
{
"version_affected": "<=",
"version_name": "2.6 and earlier",
"version_value": "2.6.4"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Michael Marshall of DataStax."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy make each client vulnerable to a man in the middle attack. Connections from the Pulsar Java Client to the Pulsar Broker/Proxy and connections from the Pulsar Proxy to the Pulsar Broker are vulnerable. Authentication data is sent before verifying the servers TLS certificate matches the hostname, which means authentication data could be exposed to an attacker.\n\nAn attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host. Because the client sends authentication data before performing hostname verification, an attacker could gain access to the clients authentication data. The client eventually closes the connection when it verifies the hostname and identifies the targeted hostname does not match a hostname on the certificate.\n\nBecause the client eventually closes the connection, the value of the intercepted authentication data depends on the authentication method used by the client. Token based authentication and username/password authentication methods are vulnerable because the authentication data can be used to impersonate the client in a separate session.\n\nThis issue affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/fpo6x10trvn20hlk0dmnr5vlz5v4kl3d"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Any users running affected versions of the Java Client should rotate vulnerable authentication data, including tokens and passwords.\n\n2.7 Pulsar Java Client users should upgrade to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords.\n2.8 Pulsar Java Client users should upgrade to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords.\n2.9 Pulsar Java Client users should upgrade to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords.\n2.10 Pulsar Java Client users should upgrade to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords.\nAny users running the Pulsar Java Client for 2.6.4 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords."
}
]
}

103
2022/33xxx/CVE-2022-33682.json
View File

@ -1,18 +1,107 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-33682",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Disabled Hostname Verification makes Brokers, Proxies vulnerable to MITM attack"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Pulsar",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "2.7",
"version_value": "2.7.4"
},
{
"version_affected": "<=",
"version_name": "2.8",
"version_value": "2.8.3"
},
{
"version_affected": "<=",
"version_name": "2.9",
"version_value": "2.9.2"
},
{
"version_affected": "=",
"version_name": "2.10",
"version_value": "2.10.0"
},
{
"version_affected": "<=",
"version_name": "2.6 and earlier",
"version_value": "2.6.4"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Michael Marshall of DataStax."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client leaving intra-cluster connections and geo-replication connections vulnerable to man in the middle attacks, which could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability is for both the pulsar+ssl protocol and HTTPS.\n\nAn attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host.\n\nThis issue affects Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/l0ynfl161qghwfcgbbl8ld9hzbl9t3yx"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Any users running affected versions of the Pulsar Broker, Pulsar Proxy, or Pulsar WebSocket Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords. \n\nTo enable hostname verification, update the following configuration files.\n\nIn the Broker configuration (broker.conf, by default) and in the WebSocket Proxy configuration (websocket.conf, by default), set:\n\nbrokerClient_tlsHostnameVerificationEnable=true\n\nIn Pulsar Helm chart deployments, the Broker and WebSocket Proxy setting name should be prefixed with \"PULSAR_PREFIX_\".\n\nIn the Proxy configuration (proxy.conf, by default), set:\n\ntlsHostnameVerificationEnabled=true\n\n2.7 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.7.5, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.8 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.8.4, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.9 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.9.3, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\n2.10 users should upgrade Pulsar Brokers, Proxies, and WebSocket Proxies to 2.10.1, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration.\nAny users running Pulsar Brokers, Proxies, and WebSocket Proxies for 2.6.4 and earlier should upgrade to one of the above patched versions, rotate vulnerable authentication data, including tokens and passwords, and apply the above configuration."
}
]
}

103
2022/33xxx/CVE-2022-33683.json
View File

@ -1,18 +1,107 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-33683",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Pulsar",
"version": {
"version_data": [
{
"version_affected": "<=",
"version_name": "2.7",
"version_value": "2.7.4"
},
{
"version_affected": "<=",
"version_name": "2.8",
"version_value": "2.8.3"
},
{
"version_affected": "<=",
"version_name": "2.9",
"version_value": "2.9.2"
},
{
"version_affected": "=",
"version_name": "2.10",
"version_value": "2.10.0"
},
{
"version_affected": "<=",
"version_name": "2.6 and earlier",
"version_value": "2.6.4"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "This issue was discovered by Michael Marshall of DataStax."
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients.\n\nAn attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack.\n\nThis issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier."
}
]
}
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-295 Improper Certificate Validation"
}
]
}
]
},
"references": {
"reference_data": [
{
"refsource": "CONFIRM",
"url": "https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x"
}
]
},
"source": {
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Any users running affected versions of the Pulsar Broker or Pulsar Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords.\n\n2.7 users should upgrade Pulsar Brokers and Proxies to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords.\n2.8 users should upgrade Pulsar Brokers and Proxies to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords.\n2.9 users should upgrade Pulsar Brokers and Proxies to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords.\n2.10 users should upgrade Pulsar Brokers and Proxies to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords.\nAny users running Pulsar Brokers and Proxies for 2.6 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords.\n\nIn addition to upgrading, it is also necessary to enable hostname verification to prevent man in the middle attacks. Please see CVE-2022-33682 for more information."
}
]
}