Bug 1320842 (CVE-2016-2166)

Summary: CVE-2016-2166 qpid-proton: reactor sends messages in clear if ssl is requested but not available
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, aortega, apevec, ayoung, bkearney, chrisw, cpelland, dallan, esammons, gkotton, iboverma, java-sig-commits, jmatthew, jross, jschluet, kgiusti, kpalko, lhh, lpeer, markmc, mcressma, messaging-bugs, mmccune, ohadlevy, rbryant, rhos-maint, rrajasek, satellite6-bugs, sclewis, tdecacqu, tjay, tlestach, tsanders
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qpid-proton 0.12.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-01 04:33:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1320843, 1320844, 1320845, 1320846    
Bug Blocks: 1320848    

Description Andrej Nemec 2016-03-24 07:49:21 UTC 
Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user.

This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections.  Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable.  These classes can create an unencrypted connections if the "amqps://" URL prefix is used.

The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix).

References:

http://seclists.org/bugtraq/2016/Mar/166

Upstream fix:

https://issues.apache.org/jira/browse/PROTON-1157

Upstream fixed release:

http://qpid.apache.org/releases/qpid-proton-0.12.1/
Comment 1 Andrej Nemec 2016-03-24 07:50:35 UTC 
Created qpid-proton tracking bugs for this issue:

Affects: fedora-all [bug 1320843]
Affects: epel-6 [bug 1320845]
Affects: epel-7 [bug 1320846]
Comment 2 Andrej Nemec 2016-03-24 07:50:52 UTC 
Created qpid-proton-java tracking bugs for this issue:

Affects: fedora-all [bug 1320844]
Comment 3 Kurt Seifried 2016-06-01 04:33:29 UTC 
Statement:

This issue affects the versions of qpid-proton as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.