Bug 1147311 (CVE-2014-7202) - CVE-2014-7202 zeromq: stream engine security can be downgraded by client.
Summary: CVE-2014-7202 zeromq: stream engine security can be downgraded by client.
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-7202
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1147291
TreeView+ depends on / blocked
 
Reported: 2014-09-29 01:38 UTC by Wade Mealing
Modified: 2021-02-17 06:10 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-09 04:45:51 UTC
Embargoed:


Attachments (Terms of Use)

Description Wade Mealing 2014-09-29 01:38:07 UTC
When accepting a connection as client or server, the engine takes the mechanism from the peer and implements the peers
mechanism without ensuring hat it matches the mechanism set on the socket.  This may allow an attacker to create a situation
in which they can create a man-in-the-middle downgrade attack.

Comment 1 Murray McAllister 2014-09-29 02:39:29 UTC
Upstream commit:

https://github.com/hintjens/libzmq/commit/77f14aad95cdf0d2a244ae9b4a025e5ba0adf01a

From a brief inspection, it appears as though zeromq and zeromq 3 in Fedora may not be affected.

Comment 3 Wade Mealing 2014-10-08 00:27:19 UTC
Statement:

This issue did not affect the versions of zeromq as shipped with Inktank Ceph Enterprise 1.2 and 1.3.

Comment 4 Wade Mealing 2014-10-09 04:41:07 UTC
The fedora 20 release zeromq3-3.2.4-1.fc20.src.rpm ,is the same release that was audited by the inktank developers found to be not affected by this issue.


Note You need to log in before you can comment on or make changes to this bug.