Bug 1702439 (CVE-2019-0223)
| Summary: | CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | aileenc, apevec, ataylor, avibelli, bbuckingham, bcourt, bgeorges, bkearney, bmcclain, btotty, chazlett, dajohnso, dbecker, dblechte, dfediuck, dmetzger, eedri, esammons, gblomqui, gmccullo, gtanzill, hhudgeon, iboverma, janstey, java-sig-commits, jbalunas, jfrey, jhardy, jijia, jjoyce, jochrist, jpadman, jpallich, jprause, jross, jschluet, jshepherd, kbasil, kdixon, kgiusti, krathod, lhh, lpeer, lthon, mburns, mcressma, messaging-bugs, mgoldboi, michal.skrivanek, mmccune, mszynkie, mvanderw, obarenbo, pgallagh, puntogil, rchan, rcosta, rhos-maint, rjerrido, roliveri, rrajasek, rruss, sbonazzo, sclewis, sherold, simaishi, slinaber, slong, tjay, trogers, yturgema |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | qpid-proton 0.27.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A cryptographic weakness was discovered in qpid-proton's use of TLS. If the qpid-proton client was used without client certificates, it would accept an anonymous cipher offered by the server. A man-in-the-middle attacker could use this to silently intercept traffic that should have been encrypted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:54:35 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1702440, 1702836, 1702837, 1705786, 1705787, 1705788, 1705789, 1706271, 1706272, 1707424, 1710122, 1748475, 1748476, 1748477, 1749547 | ||
| Bug Blocks: | 1702442 | ||
|
Description
Laura Pardo
2019-04-23 19:10:34 UTC
External References: https://qpid.apache.org/cves/CVE-2019-0223.html Created qpid-proton tracking bugs for this issue: Affects: openstack-rdo [bug 1702440] OpenStack8 just went EOL as of 20.April.2019,https://access.redhat.com/support/policy/updates/openstack/platform/ Setting this to wontfix. This issue has been addressed in the following products: AMQ Clients 2.y for RHEL 6 AMQ Clients 2.y for RHEL 7 Via RHSA-2019:0886 https://access.redhat.com/errata/RHSA-2019:0886 Upstream patches (on github, where the diff is available): https://github.com/apache/qpid-proton/commit/4aea0fd8502f5e9af7f22fd60645eeec07bce0b2 https://github.com/apache/qpid-proton/commit/159fac1f90d9b1ace1138d510176e7a5da54e9e9 Statement: Red Hat OpenStack Platform 14 (and its Operational Tools) is impacted by this flaw; other supported versions are not vulnerable. Red Hat Virtualization 4 uses qpid-proton for katello-agent, which always uses client certificate authentication. Red Hat Update Infrastructure 3 is impacted by this flaw, however in its default configuration client certificate authentication is used and qpidd service, which uses qpid-proton, cannot be reach from other machines. Mitigation: This attack will not work if client-certificate authentication is in place because anonymous ciphers would not then be available. Another possible mitigation is to disable anonymous ciphers on clients. This vulnerability is out of security support scope for the following products: * Red Hat JBoss A-MQ 6 * Red Hat JBoss Fuse 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7 Via RHSA-2019:1398 https://access.redhat.com/errata/RHSA-2019:1398 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:1400 https://access.redhat.com/errata/RHSA-2019:1400 This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:1399 https://access.redhat.com/errata/RHSA-2019:1399 This issue has been addressed in the following products: Red Hat Satellite 6.5 for RHEL 7 Via RHSA-2019:2777 https://access.redhat.com/errata/RHSA-2019:2777 This issue has been addressed in the following products: Red Hat Satellite 6.4 for RHEL 7 Via RHSA-2019:2778 https://access.redhat.com/errata/RHSA-2019:2778 This issue has been addressed in the following products: Red Hat Satellite 6.3 for RHEL 7 Via RHSA-2019:2779 https://access.redhat.com/errata/RHSA-2019:2779 This issue has been addressed in the following products: Satellite Tools 6.5 for RHEL 8 Satellite Tools 6.5 for RHEL 7.6.TUS Satellite Tools 6.5 for RHEL 7.6.EUS Satellite Tools 6.5 for RHEL 7.6.E4S Satellite Tools 6.5 for RHEL 7.5.EUS Satellite Tools 6.5 for RHEL 7.6.AUS Satellite Tools 6.5 for RHEL 7.4.TUS Satellite Tools 6.5 for RHEL 7.4.EUS Satellite Tools 6.5 for RHEL 7.4.E4S Satellite Tools 6.5 for RHEL 7.4.AUS Satellite Tools 6.5 for RHEL 7.3.TUS Satellite Tools 6.5 for RHEL 7.3.E4S Satellite Tools 6.5 for RHEL 7.3.AUS Satellite Tools 6.5 for RHEL 7.2.TUS Satellite Tools 6.5 for RHEL 7.2.E4S Satellite Tools 6.5 for RHEL 7.2.AUS Satellite Tools 6.5 for RHEL 7 Satellite Tools 6.5 for RHEL 5.ELS Satellite Tools 6.5 for RHEL 5.9.AUS Satellite Tools 6.5 for RHEL 6 Via RHSA-2019:2780 https://access.redhat.com/errata/RHSA-2019:2780 This issue has been addressed in the following products: Satellite Tools 6.4 for RHEL 7 Satellite Tools 6.4 for RHEL 7.2.AUS Satellite Tools 6.4 for RHEL 7.2.E4S Satellite Tools 6.4 for RHEL 7.2.TUS Satellite Tools 6.4 for RHEL 7.3.AUS Satellite Tools 6.4 for RHEL 7.3.E4S Satellite Tools 6.4 for RHEL 7.3.TUS Satellite Tools 6.4 for RHEL 7.4.AUS Satellite Tools 6.4 for RHEL 7.4.E4S Satellite Tools 6.4 for RHEL 7.4.TUS Satellite Tools 6.4 for RHEL 7.5.EUS Satellite Tools 6.4 for RHEL 7.4.EUS Satellite Tools 6.4 for RHEL 7.6.EUS Satellite Tools 6.4 for RHEL 7.6.E4S Satellite Tools 6.4 for RHEL 7.6.AUS Satellite Tools 6.4 for RHEL 7.6.TUS Satellite Tools 6.4 for RHEL 5.9.AUS Satellite Tools 6.4 for RHEL 5.ELS Satellite Tools 6.4 for RHEL 6 Satellite Tools 6.4 for RHEL 6.7.EUS Via RHSA-2019:2782 https://access.redhat.com/errata/RHSA-2019:2782 This issue has been addressed in the following products: Satellite Tools 6.3 for RHEL 7 Satellite Tools 6.3 for RHEL 7.2.AUS Satellite Tools 6.3 for RHEL 7.2.EUS Satellite Tools 6.3 for RHEL 7.3.AUS Satellite Tools 6.3 for RHEL 7.3.EUS Satellite Tools 6.3 for RHEL 7.4.EUS Satellite Tools 6.3 for RHEL 7.4.AUS Satellite Tools 6.3 for RHEL 7.4.E4S Satellite Tools 6.3 for RHEL 7.3.E4S Satellite Tools 6.3 for RHEL 7.2.E4S Satellite Tools 6.3 for RHEL 7.5.EUS Satellite Tools 6.3 for RHEL 7.6.EUS Satellite Tools 6.3 for RHEL 7.6.AUS Satellite Tools 6.3 for RHEL 7.6.E4S Satellite Tools 6.3 for RHEL 5.9.AUS Satellite Tools 6.3 for RHEL 5.ELS Satellite Tools 6.3 for RHEL 6 Satellite Tools 6.3 for RHEL 6.4.AUS Satellite Tools 6.3 for RHEL 6.5.AUS Satellite Tools 6.3 for RHEL 6.7.EUS Satellite Tools 6.3 for RHEL 6.6.AUS Via RHSA-2019:2781 https://access.redhat.com/errata/RHSA-2019:2781 |