Bug 1678313 (CVE-2019-3890) - CVE-2019-3890 evolution-ews: all certificate errors ignored if error is ignored during initial account setup in gnome-online-accounts
Summary: CVE-2019-3890 evolution-ews: all certificate errors ignored if error is ignor...
Alias: CVE-2019-3890
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1678314 1696760 1696761 1696762 1696763
Blocks: 1678315
TreeView+ depends on / blocked
Reported: 2019-02-18 13:35 UTC by msiddiqu
Modified: 2020-03-31 19:21 UTC (History)
1 user (show)

Fixed In Version: evolution-ewx 3.31.3
Doc Type: If docs needed, set a value
Doc Text:
It was discovered evolution-ews does not check the validity of SSL certificates. An attacker could abuse this flaw to get confidential information by tricking the user into connecting to a fake server without the user noticing the difference.
Clone Of:
Last Closed: 2019-11-06 00:52:14 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3699 0 None None None 2019-11-05 22:05:34 UTC
Red Hat Product Errata RHSA-2020:1080 0 None None None 2020-03-31 19:21:27 UTC

Description msiddiqu 2019-02-18 13:35:20 UTC
Evolution Exchange Web Services can silently ignore *all* certificate errors if configured to ignore an initial error in gnome-online-accounts creation. This renders transport security worse than zero as it does not even indicate (logs or UI) that a questionable certificate was presented, leaving the connection open to being viewed and modified.

Upstream issue:


Comment 1 msiddiqu 2019-02-18 13:35:33 UTC
Created evolution-ews tracking bugs for this issue:

Affects: fedora-all [bug 1678314]

Comment 2 Milan Crha 2019-02-18 14:29:01 UTC
Thanks for a bug report. The upstream bug had been marked as a duplicate of an older bug there. I'd prefer not to duplicate the work here, also because the upstream changes are not tested yet and because the change requires changes on the evolution-data-server side as well. I'd commit it to the stable version already otherwise.

Comment 10 Riccardo Schirone 2019-04-05 14:48:28 UTC
Upstream issue:

Comment 11 Riccardo Schirone 2019-04-05 15:02:39 UTC
According to https://gitlab.gnome.org/GNOME/evolution-ews/issues/27, evolution-ews does not validate SSL certificate at all.

Comment 13 errata-xmlrpc 2019-11-05 22:05:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3699 https://access.redhat.com/errata/RHSA-2019:3699

Comment 14 Product Security DevOps Team 2019-11-06 00:52:14 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 15 errata-xmlrpc 2020-03-31 19:21:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:1080 https://access.redhat.com/errata/RHSA-2020:1080

Note You need to log in before you can comment on or make changes to this bug.