Bug 1320842 (CVE-2016-2166) - CVE-2016-2166 qpid-proton: reactor sends messages in clear if ssl is requested but not available
Summary: CVE-2016-2166 qpid-proton: reactor sends messages in clear if ssl is request...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2016-2166
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1320843 1320844 1320845 1320846
Blocks: 1320848
TreeView+ depends on / blocked
 
Reported: 2016-03-24 07:49 UTC by Andrej Nemec
Modified: 2021-02-17 04:08 UTC (History)
33 users (show)

Fixed In Version: qpid-proton 0.12.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-06-01 04:33:29 UTC


Attachments (Terms of Use)

Description Andrej Nemec 2016-03-24 07:49:21 UTC
Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user.

This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections.  Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable.  These classes can create an unencrypted connections if the "amqps://" URL prefix is used.

The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix).

References:

http://seclists.org/bugtraq/2016/Mar/166

Upstream fix:

https://issues.apache.org/jira/browse/PROTON-1157

Upstream fixed release:

http://qpid.apache.org/releases/qpid-proton-0.12.1/

Comment 1 Andrej Nemec 2016-03-24 07:50:35 UTC
Created qpid-proton tracking bugs for this issue:

Affects: fedora-all [bug 1320843]
Affects: epel-6 [bug 1320845]
Affects: epel-7 [bug 1320846]

Comment 2 Andrej Nemec 2016-03-24 07:50:52 UTC
Created qpid-proton-java tracking bugs for this issue:

Affects: fedora-all [bug 1320844]

Comment 3 Kurt Seifried 2016-06-01 04:33:29 UTC
Statement:

This issue affects the versions of qpid-proton as shipped with Red Hat Satellite version 6. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.


Note You need to log in before you can comment on or make changes to this bug.