Bug 1702439 (CVE-2019-0223) - CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability
Summary: CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-0223
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1702440 1707424 1702836 1702837 1705786 1705787 1705788 1705789 1706271 1706272 1710122 1748475 1748476 1748477 1749547
Blocks: 1702442
TreeView+ depends on / blocked
 
Reported: 2019-04-23 19:10 UTC by Laura Pardo
Modified: 2019-12-10 19:14 UTC (History)
71 users (show)

Fixed In Version: qpid-proton 0.27.1
Doc Type: If docs needed, set a value
Doc Text:
A cryptographic weakness was discovered in qpid-proton's use of TLS. If the qpid-proton client was used without client certificates, it would accept an anonymous cipher offered by the server. A man-in-the-middle attacker could use this to silently intercept traffic that should have been encrypted.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:54:35 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0886 None None None 2019-04-25 07:43:15 UTC
Red Hat Product Errata RHSA-2019:1398 None None None 2019-06-06 15:52:13 UTC
Red Hat Product Errata RHSA-2019:1399 None None None 2019-06-06 15:56:47 UTC
Red Hat Product Errata RHSA-2019:1400 None None None 2019-06-06 15:55:24 UTC
Red Hat Product Errata RHSA-2019:2777 None None None 2019-09-17 00:25:33 UTC
Red Hat Product Errata RHSA-2019:2778 None None None 2019-09-17 01:32:38 UTC
Red Hat Product Errata RHSA-2019:2779 None None None 2019-09-17 02:08:44 UTC
Red Hat Product Errata RHSA-2019:2780 None None None 2019-09-17 14:27:08 UTC
Red Hat Product Errata RHSA-2019:2781 None None None 2019-09-20 11:40:32 UTC
Red Hat Product Errata RHSA-2019:2782 None None None 2019-09-20 11:26:15 UTC

Description Laura Pardo 2019-04-23 19:10:34 UTC
The TLS support in Apache Qpid Proton 0.9 - 0.27.0 when using OpenSSL prior to 1.1.0 can under some circumstances connect as a client to a TLS server that offers anonymous ciphers irrespective of whether the client was configured to verify the server's certificate or certificate against the hostname used to connect. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. This
includes the Qpid Proton C library, and all language binding libraries using it. This attack will not work if client certificate authentication is
in use as anonymous ciphers cannot be used in this case.


References:
https://issues.apache.org/jira/browse/PROTON-2014
https://qpid.apache.org/cves/CVE-2019-0223.html

Upstream Patch:
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a

Comment 1 Laura Pardo 2019-04-23 19:10:40 UTC
External References:

https://qpid.apache.org/cves/CVE-2019-0223.html

Comment 2 Laura Pardo 2019-04-23 19:10:54 UTC
Created qpid-proton tracking bugs for this issue:

Affects: openstack-rdo [bug 1702440]

Comment 3 Summer Long 2019-04-24 04:38:17 UTC
OpenStack8 just went EOL as of 20.April.2019,https://access.redhat.com/support/policy/updates/openstack/platform/
Setting this to wontfix.

Comment 5 errata-xmlrpc 2019-04-25 07:43:13 UTC
This issue has been addressed in the following products:

  AMQ Clients 2.y for RHEL 6
  AMQ Clients 2.y for RHEL 7

Via RHSA-2019:0886 https://access.redhat.com/errata/RHSA-2019:0886

Comment 22 Riccardo Schirone 2019-05-07 13:50:16 UTC
Statement:

Red Hat OpenStack Platform 14 (and its Operational Tools) is impacted by this flaw; other supported versions are not vulnerable.

Red Hat Virtualization 4 uses qpid-proton for katello-agent, which always uses client certificate authentication.

Red Hat Update Infrastructure 3 is impacted by this flaw, however in its default configuration client certificate authentication is used and qpidd service, which uses qpid-proton, cannot be reach from other machines.

Comment 23 Richard Maciel Costa 2019-05-07 22:07:33 UTC
Mitigation:

This attack will not work if client-certificate authentication is in place because anonymous ciphers would not then be available.
Another possible mitigation is to disable anonymous ciphers on clients.

Comment 28 Joshua Padman 2019-05-15 23:05:41 UTC
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 29 errata-xmlrpc 2019-06-06 15:52:11 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7

Via RHSA-2019:1398 https://access.redhat.com/errata/RHSA-2019:1398

Comment 30 errata-xmlrpc 2019-06-06 15:55:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:1400 https://access.redhat.com/errata/RHSA-2019:1400

Comment 31 errata-xmlrpc 2019-06-06 15:56:44 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:1399 https://access.redhat.com/errata/RHSA-2019:1399

Comment 35 errata-xmlrpc 2019-09-17 00:25:29 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.5 for RHEL 7

Via RHSA-2019:2777 https://access.redhat.com/errata/RHSA-2019:2777

Comment 36 errata-xmlrpc 2019-09-17 01:32:35 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2019:2778 https://access.redhat.com/errata/RHSA-2019:2778

Comment 37 errata-xmlrpc 2019-09-17 02:08:40 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2019:2779 https://access.redhat.com/errata/RHSA-2019:2779

Comment 38 errata-xmlrpc 2019-09-17 14:27:05 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.5 for RHEL 8
  Satellite Tools 6.5 for RHEL 7.6.TUS
  Satellite Tools 6.5 for RHEL 7.6.EUS
  Satellite Tools 6.5 for RHEL 7.6.E4S
  Satellite Tools 6.5 for RHEL 7.5.EUS
  Satellite Tools 6.5 for RHEL 7.6.AUS
  Satellite Tools 6.5 for RHEL 7.4.TUS
  Satellite Tools 6.5 for RHEL 7.4.EUS
  Satellite Tools 6.5 for RHEL 7.4.E4S
  Satellite Tools 6.5 for RHEL 7.4.AUS
  Satellite Tools 6.5 for RHEL 7.3.TUS
  Satellite Tools 6.5 for RHEL 7.3.E4S
  Satellite Tools 6.5 for RHEL 7.3.AUS
  Satellite Tools 6.5 for RHEL 7.2.TUS
  Satellite Tools 6.5 for RHEL 7.2.E4S
  Satellite Tools 6.5 for RHEL 7.2.AUS
  Satellite Tools 6.5 for RHEL 7
  Satellite Tools 6.5 for RHEL 5.ELS
  Satellite Tools 6.5 for RHEL 5.9.AUS
  Satellite Tools 6.5 for RHEL 6

Via RHSA-2019:2780 https://access.redhat.com/errata/RHSA-2019:2780

Comment 39 errata-xmlrpc 2019-09-20 11:26:11 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.4 for RHEL 7
  Satellite Tools 6.4 for RHEL 7.2.AUS
  Satellite Tools 6.4 for RHEL 7.2.E4S
  Satellite Tools 6.4 for RHEL 7.2.TUS
  Satellite Tools 6.4 for RHEL 7.3.AUS
  Satellite Tools 6.4 for RHEL 7.3.E4S
  Satellite Tools 6.4 for RHEL 7.3.TUS
  Satellite Tools 6.4 for RHEL 7.4.AUS
  Satellite Tools 6.4 for RHEL 7.4.E4S
  Satellite Tools 6.4 for RHEL 7.4.TUS
  Satellite Tools 6.4 for RHEL 7.5.EUS
  Satellite Tools 6.4 for RHEL 7.4.EUS
  Satellite Tools 6.4 for RHEL 7.6.EUS
  Satellite Tools 6.4 for RHEL 7.6.E4S
  Satellite Tools 6.4 for RHEL 7.6.AUS
  Satellite Tools 6.4 for RHEL 7.6.TUS
  Satellite Tools 6.4 for RHEL 5.9.AUS
  Satellite Tools 6.4 for RHEL 5.ELS
  Satellite Tools 6.4 for RHEL 6
  Satellite Tools 6.4 for RHEL 6.7.EUS

Via RHSA-2019:2782 https://access.redhat.com/errata/RHSA-2019:2782

Comment 40 errata-xmlrpc 2019-09-20 11:40:28 UTC
This issue has been addressed in the following products:

  Satellite Tools 6.3 for RHEL 7
  Satellite Tools 6.3 for RHEL 7.2.AUS
  Satellite Tools 6.3 for RHEL 7.2.EUS
  Satellite Tools 6.3 for RHEL 7.3.AUS
  Satellite Tools 6.3 for RHEL 7.3.EUS
  Satellite Tools 6.3 for RHEL 7.4.EUS
  Satellite Tools 6.3 for RHEL 7.4.AUS
  Satellite Tools 6.3 for RHEL 7.4.E4S
  Satellite Tools 6.3 for RHEL 7.3.E4S
  Satellite Tools 6.3 for RHEL 7.2.E4S
  Satellite Tools 6.3 for RHEL 7.5.EUS
  Satellite Tools 6.3 for RHEL 7.6.EUS
  Satellite Tools 6.3 for RHEL 7.6.AUS
  Satellite Tools 6.3 for RHEL 7.6.E4S
  Satellite Tools 6.3 for RHEL 5.9.AUS
  Satellite Tools 6.3 for RHEL 5.ELS
  Satellite Tools 6.3 for RHEL 6
  Satellite Tools 6.3 for RHEL 6.4.AUS
  Satellite Tools 6.3 for RHEL 6.5.AUS
  Satellite Tools 6.3 for RHEL 6.7.EUS
  Satellite Tools 6.3 for RHEL 6.6.AUS

Via RHSA-2019:2781 https://access.redhat.com/errata/RHSA-2019:2781


Note You need to log in before you can comment on or make changes to this bug.