Bug 1702439 (CVE-2019-0223) - CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability
Summary: CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-0223
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1702440 Red Hat1702836 Red Hat1702837 Red Hat1705786 Red Hat1705787 Red Hat1705788 Red Hat1705789 Red Hat1706271 Red Hat1706272 Red Hat1707424 Red Hat1710122 Red Hat1748475 Red Hat1748476 Red Hat1748477 Red Hat1749547
Blocks: Embargoed1702442
TreeView+ depends on / blocked
 
Reported: 2019-04-23 19:10 UTC by Laura Pardo
Modified: 2021-02-16 22:04 UTC (History)
71 users (show)

Fixed In Version: qpid-proton 0.27.1
Doc Type: If docs needed, set a value
Doc Text:
A cryptographic weakness was discovered in qpid-proton's use of TLS. If the qpid-proton client was used without client certificates, it would accept an anonymous cipher offered by the server. A man-in-the-middle attacker could use this to silently intercept traffic that should have been encrypted.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:54:35 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0886 0 None None None 2019-04-25 07:43:15 UTC
Red Hat Product Errata RHSA-2019:1398 0 None None None 2019-06-06 15:52:13 UTC
Red Hat Product Errata RHSA-2019:1399 0 None None None 2019-06-06 15:56:47 UTC
Red Hat Product Errata RHSA-2019:1400 0 None None None 2019-06-06 15:55:24 UTC
Red Hat Product Errata RHSA-2019:2777 0 None None None 2019-09-17 00:25:33 UTC
Red Hat Product Errata RHSA-2019:2778 0 None None None 2019-09-17 01:32:38 UTC
Red Hat Product Errata RHSA-2019:2779 0 None None None 2019-09-17 02:08:44 UTC
Red Hat Product Errata RHSA-2019:2780 0 None None None 2019-09-17 14:27:08 UTC
Red Hat Product Errata RHSA-2019:2781 0 None None None 2019-09-20 11:40:32 UTC
Red Hat Product Errata RHSA-2019:2782 0 None None None 2019-09-20 11:26:15 UTC

Description Laura Pardo 2019-04-23 19:10:34 UTC 
The TLS support in Apache Qpid Proton 0.9 - 0.27.0 when using OpenSSL prior to 1.1.0 can under some circumstances connect as a client to a TLS server that offers anonymous ciphers irrespective of whether the client was configured to verify the server's certificate or certificate against the hostname used to connect. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic. This
includes the Qpid Proton C library, and all language binding libraries using it. This attack will not work if client certificate authentication is
in use as anonymous ciphers cannot be used in this case.


References:
https://issues.apache.org/jira/browse/PROTON-2014
https://qpid.apache.org/cves/CVE-2019-0223.html

Upstream Patch:
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd
https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a
Comment 1 Laura Pardo 2019-04-23 19:10:40 UTC 
External References:

https://qpid.apache.org/cves/CVE-2019-0223.html
Comment 2 Laura Pardo 2019-04-23 19:10:54 UTC 
Created qpid-proton tracking bugs for this issue:

Affects: openstack-rdo [bug 1702440]
Comment 3 Summer Long 2019-04-24 04:38:17 UTC 
OpenStack8 just went EOL as of 20.April.2019,https://access.redhat.com/support/policy/updates/openstack/platform/
Setting this to wontfix.
Comment 5 errata-xmlrpc 2019-04-25 07:43:13 UTC 
This issue has been addressed in the following products:

  AMQ Clients 2.y for RHEL 6
  AMQ Clients 2.y for RHEL 7

Via RHSA-2019:0886 https://access.redhat.com/errata/RHSA-2019:0886
Comment 19 Riccardo Schirone 2019-05-07 13:24:16 UTC 
Upstream patches (on github, where the diff is available):
https://github.com/apache/qpid-proton/commit/4aea0fd8502f5e9af7f22fd60645eeec07bce0b2
https://github.com/apache/qpid-proton/commit/159fac1f90d9b1ace1138d510176e7a5da54e9e9
Comment 22 Riccardo Schirone 2019-05-07 13:50:16 UTC 
Statement:

Red Hat OpenStack Platform 14 (and its Operational Tools) is impacted by this flaw; other supported versions are not vulnerable.

Red Hat Virtualization 4 uses qpid-proton for katello-agent, which always uses client certificate authentication.

Red Hat Update Infrastructure 3 is impacted by this flaw, however in its default configuration client certificate authentication is used and qpidd service, which uses qpid-proton, cannot be reach from other machines.
Comment 23 Richard Maciel Costa 2019-05-07 22:07:33 UTC 
Mitigation:

This attack will not work if client-certificate authentication is in place because anonymous ciphers would not then be available.
Another possible mitigation is to disable anonymous ciphers on clients.
Comment 28 Joshua Padman 2019-05-15 23:05:41 UTC 
This vulnerability is out of security support scope for the following products:
 * Red Hat JBoss A-MQ 6
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 29 errata-xmlrpc 2019-06-06 15:52:11 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7

Via RHSA-2019:1398 https://access.redhat.com/errata/RHSA-2019:1398
Comment 30 errata-xmlrpc 2019-06-06 15:55:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:1400 https://access.redhat.com/errata/RHSA-2019:1400
Comment 31 errata-xmlrpc 2019-06-06 15:56:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:1399 https://access.redhat.com/errata/RHSA-2019:1399
Comment 35 errata-xmlrpc 2019-09-17 00:25:29 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.5 for RHEL 7

Via RHSA-2019:2777 https://access.redhat.com/errata/RHSA-2019:2777
Comment 36 errata-xmlrpc 2019-09-17 01:32:35 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.4 for RHEL 7

Via RHSA-2019:2778 https://access.redhat.com/errata/RHSA-2019:2778
Comment 37 errata-xmlrpc 2019-09-17 02:08:40 UTC 
This issue has been addressed in the following products:

  Red Hat Satellite 6.3 for RHEL 7

Via RHSA-2019:2779 https://access.redhat.com/errata/RHSA-2019:2779
Comment 38 errata-xmlrpc 2019-09-17 14:27:05 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.5 for RHEL 8
  Satellite Tools 6.5 for RHEL 7.6.TUS
  Satellite Tools 6.5 for RHEL 7.6.EUS
  Satellite Tools 6.5 for RHEL 7.6.E4S
  Satellite Tools 6.5 for RHEL 7.5.EUS
  Satellite Tools 6.5 for RHEL 7.6.AUS
  Satellite Tools 6.5 for RHEL 7.4.TUS
  Satellite Tools 6.5 for RHEL 7.4.EUS
  Satellite Tools 6.5 for RHEL 7.4.E4S
  Satellite Tools 6.5 for RHEL 7.4.AUS
  Satellite Tools 6.5 for RHEL 7.3.TUS
  Satellite Tools 6.5 for RHEL 7.3.E4S
  Satellite Tools 6.5 for RHEL 7.3.AUS
  Satellite Tools 6.5 for RHEL 7.2.TUS
  Satellite Tools 6.5 for RHEL 7.2.E4S
  Satellite Tools 6.5 for RHEL 7.2.AUS
  Satellite Tools 6.5 for RHEL 7
  Satellite Tools 6.5 for RHEL 5.ELS
  Satellite Tools 6.5 for RHEL 5.9.AUS
  Satellite Tools 6.5 for RHEL 6

Via RHSA-2019:2780 https://access.redhat.com/errata/RHSA-2019:2780
Comment 39 errata-xmlrpc 2019-09-20 11:26:11 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.4 for RHEL 7
  Satellite Tools 6.4 for RHEL 7.2.AUS
  Satellite Tools 6.4 for RHEL 7.2.E4S
  Satellite Tools 6.4 for RHEL 7.2.TUS
  Satellite Tools 6.4 for RHEL 7.3.AUS
  Satellite Tools 6.4 for RHEL 7.3.E4S
  Satellite Tools 6.4 for RHEL 7.3.TUS
  Satellite Tools 6.4 for RHEL 7.4.AUS
  Satellite Tools 6.4 for RHEL 7.4.E4S
  Satellite Tools 6.4 for RHEL 7.4.TUS
  Satellite Tools 6.4 for RHEL 7.5.EUS
  Satellite Tools 6.4 for RHEL 7.4.EUS
  Satellite Tools 6.4 for RHEL 7.6.EUS
  Satellite Tools 6.4 for RHEL 7.6.E4S
  Satellite Tools 6.4 for RHEL 7.6.AUS
  Satellite Tools 6.4 for RHEL 7.6.TUS
  Satellite Tools 6.4 for RHEL 5.9.AUS
  Satellite Tools 6.4 for RHEL 5.ELS
  Satellite Tools 6.4 for RHEL 6
  Satellite Tools 6.4 for RHEL 6.7.EUS

Via RHSA-2019:2782 https://access.redhat.com/errata/RHSA-2019:2782
Comment 40 errata-xmlrpc 2019-09-20 11:40:28 UTC 
This issue has been addressed in the following products:

  Satellite Tools 6.3 for RHEL 7
  Satellite Tools 6.3 for RHEL 7.2.AUS
  Satellite Tools 6.3 for RHEL 7.2.EUS
  Satellite Tools 6.3 for RHEL 7.3.AUS
  Satellite Tools 6.3 for RHEL 7.3.EUS
  Satellite Tools 6.3 for RHEL 7.4.EUS
  Satellite Tools 6.3 for RHEL 7.4.AUS
  Satellite Tools 6.3 for RHEL 7.4.E4S
  Satellite Tools 6.3 for RHEL 7.3.E4S
  Satellite Tools 6.3 for RHEL 7.2.E4S
  Satellite Tools 6.3 for RHEL 7.5.EUS
  Satellite Tools 6.3 for RHEL 7.6.EUS
  Satellite Tools 6.3 for RHEL 7.6.AUS
  Satellite Tools 6.3 for RHEL 7.6.E4S
  Satellite Tools 6.3 for RHEL 5.9.AUS
  Satellite Tools 6.3 for RHEL 5.ELS
  Satellite Tools 6.3 for RHEL 6
  Satellite Tools 6.3 for RHEL 6.4.AUS
  Satellite Tools 6.3 for RHEL 6.5.AUS
  Satellite Tools 6.3 for RHEL 6.7.EUS
  Satellite Tools 6.3 for RHEL 6.6.AUS

Via RHSA-2019:2781 https://access.redhat.com/errata/RHSA-2019:2781
Note You need to log in before you can comment on or make changes to this bug.