From commits-return-47371-archive-asf-public=cust-asf.ponee.io@qpid.apache.org Mon Nov 12 11:52:32 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 33473180660 for ; Mon, 12 Nov 2018 11:52:31 +0100 (CET) Received: (qmail 17849 invoked by uid 500); 12 Nov 2018 10:52:30 -0000 Mailing-List: contact commits-help@qpid.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@qpid.apache.org Delivered-To: mailing list commits@qpid.apache.org Received: (qmail 17840 invoked by uid 99); 12 Nov 2018 10:52:30 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 12 Nov 2018 10:52:30 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 31F13E0966; Mon, 12 Nov 2018 10:52:30 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: robbie@apache.org To: commits@qpid.apache.org Message-Id: <65fdf8d7c08d4ae9b2acbcf526f69627@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: qpid-site git commit: update site content for CVE-2018-17187 Date: Mon, 12 Nov 2018 10:52:30 +0000 (UTC) Repository: qpid-site Updated Branches: refs/heads/asf-site 5404ff5f2 -> badac501e update site content for CVE-2018-17187 Project: http://git-wip-us.apache.org/repos/asf/qpid-site/repo Commit: http://git-wip-us.apache.org/repos/asf/qpid-site/commit/badac501 Tree: http://git-wip-us.apache.org/repos/asf/qpid-site/tree/badac501 Diff: http://git-wip-us.apache.org/repos/asf/qpid-site/diff/badac501 Branch: refs/heads/asf-site Commit: badac501e58fcdeccb1ab064806c8815d1749537 Parents: 5404ff5 Author: Robbie Gemmell Authored: Mon Nov 12 10:47:13 2018 +0000 Committer: Robbie Gemmell Committed: Mon Nov 12 10:47:13 2018 +0000 ---------------------------------------------------------------------- content/cves/CVE-2018-17187.html | 201 +++++++++++++++++++ content/proton/index.html | 1 + content/proton/security-j.html | 169 ++++++++++++++++ .../qpid-proton-j-0.30.0/release-notes.html | 3 + content/security.html | 1 + input/cves/CVE-2018-17187.md | 57 ++++++ input/proton/index.md | 1 + input/proton/security-j.md | 27 +++ .../qpid-proton-j-0.30.0/release-notes.md | 4 +- input/security.md | 1 + 10 files changed, 464 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/cves/CVE-2018-17187.html ---------------------------------------------------------------------- diff --git a/content/cves/CVE-2018-17187.html b/content/cves/CVE-2018-17187.html new file mode 100644 index 0000000..7ceaab4 --- /dev/null +++ b/content/cves/CVE-2018-17187.html @@ -0,0 +1,201 @@ + + + + + CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+
  • Home
  • CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented
+ +
+

CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented

+ +

Severity

+ +

Important

+ +

Affected components

+ +

Qpid Proton-J

+ +

Affected versions

+ +

0.3 to 0.29.0

+ +

Fixed versions

+ +

0.30.0

+ +

Description

+ +

The Proton-J transport includes an optional wrapper layer to perform TLS, +enabled by use of the 'transport.ssl(...)' methods. Unless a verification +mode was explicitly configured, client and server modes previously defaulted +as documented to not verifying a peer certificate, with options to +configure this explicitly or select a certificate verification mode with or +without hostname verification being performed.

+ +

The latter hostname verifying mode was not previously implemented, with +attempts to use it resulting in an exception. This left only the option to +verify the certificate is trusted, leaving such a client vulnerable to +Man In The Middle (MITM) attack.

+ +

Uses of the Proton-J protocol engine which do not utilise the optional +transport TLS wrapper are not impacted, e.g. usage within Qpid JMS.

+ +

Resolution

+ +

Uses of Proton-J utilising the optional transport TLS wrapper layer that +wish to enable hostname verification must be upgraded to version 0.30.0 or +later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is +now the default for client mode usage unless configured otherwise.

+ +

Mitigation

+ +

If upgrading is not currently possible then potential workarounds include +providing a custom SSLContext which enables hostname verification, or +omitting use of the 'transport.ssl(...)' methods and performing TLS through +other means such as utilising existing IO framework support or supplying a +custom transport wrapper layer.

+ +

References

+ +

PROTON-1962

+ +

Credit

+ +

This issue was reported by Peter Stockli of Alphabot Security.

+ + +
+ + + +

+ Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the Apache + License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners +

+
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/proton/index.html ---------------------------------------------------------------------- diff --git a/content/proton/index.html b/content/proton/index.html index 816ea63..f9696c0 100644 --- a/content/proton/index.html +++ b/content/proton/index.html @@ -203,6 +203,7 @@ platform, environment, or language. More about http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/proton/security-j.html ---------------------------------------------------------------------- diff --git a/content/proton/security-j.html b/content/proton/security-j.html new file mode 100644 index 0000000..ab4b962 --- /dev/null +++ b/content/proton/security-j.html @@ -0,0 +1,169 @@ + + + + + Security - Proton-J - Apache Qpid™ + + + + + + + + + + + + + +
+
+ Menu + + Search + + +
+ + + + + +
+ + +
+

Security - Proton-J

+ + + + + + + + + + + + + + + + + + + + +
CVE-IDSeverityAffected versionsFixed versionsSummary
CVE-2018-17187Important0.3 to 0.29.0 inclusive0.30.0 and laterTransport TLS wrapper hostname verification mode not implemented
+ +

See the main Security page for general +information and details for other components.

+ + +
+ + + +

+ Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the Apache + License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners +

+
+
+
+ + http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/releases/qpid-proton-j-0.30.0/release-notes.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-proton-j-0.30.0/release-notes.html b/content/releases/qpid-proton-j-0.30.0/release-notes.html index f726b18..65fac66 100644 --- a/content/releases/qpid-proton-j-0.30.0/release-notes.html +++ b/content/releases/qpid-proton-j-0.30.0/release-notes.html @@ -122,6 +122,8 @@ about Qpid Proton.

For more information about this release, including download links and documentation, see the release overview.

+

Note: This release addresses security issue CVE-2018-17187, around hostname verification mode not being implemented in the optional transport TLS wrapper. Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted.

+

New features and improvements

    @@ -136,6 +138,7 @@ documentation, see the release overview.

    • PROTON-1938 - misaligned Transport set/getErrorCondition and closed() behaviour
    • PROTON-1958 - incorrect ordering for reactor timer tasks with matching deadlines
      • +
    • PROTON-1962 - [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented
    http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/content/security.html ---------------------------------------------------------------------- diff --git a/content/security.html b/content/security.html index 4508351..83dddb1 100644 --- a/content/security.html +++ b/content/security.html @@ -141,6 +141,7 @@ Qpid components are detailed at:

  • JMS client
  • AMQP 0-x JMS client
  • Proton
    • +
  • Proton-J
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/cves/CVE-2018-17187.md ---------------------------------------------------------------------- diff --git a/input/cves/CVE-2018-17187.md b/input/cves/CVE-2018-17187.md new file mode 100644 index 0000000..7df61cc --- /dev/null +++ b/input/cves/CVE-2018-17187.md @@ -0,0 +1,57 @@ +# CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented + +## Severity + +Important + +## Affected components + +Qpid Proton-J + +## Affected versions + +0.3 to 0.29.0 + +## Fixed versions + +0.30.0 + +## Description + +The Proton-J transport includes an optional wrapper layer to perform TLS, +enabled by use of the 'transport.ssl(...)' methods. Unless a verification +mode was explicitly configured, client and server modes previously defaulted +as documented to not verifying a peer certificate, with options to +configure this explicitly or select a certificate verification mode with or +without hostname verification being performed. + +The latter hostname verifying mode was not previously implemented, with +attempts to use it resulting in an exception. This left only the option to +verify the certificate is trusted, leaving such a client vulnerable to +Man In The Middle (MITM) attack. + +Uses of the Proton-J protocol engine which do not utilise the optional +transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. + +## Resolution + +Uses of Proton-J utilising the optional transport TLS wrapper layer that +wish to enable hostname verification must be upgraded to version 0.30.0 or +later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is +now the default for client mode usage unless configured otherwise. + +## Mitigation + +If upgrading is not currently possible then potential workarounds include +providing a custom SSLContext which enables hostname verification, or +omitting use of the 'transport.ssl(...)' methods and performing TLS through +other means such as utilising existing IO framework support or supplying a +custom transport wrapper layer. + +## References + +[PROTON-1962](https://issues.apache.org/jira/browse/PROTON-1962) + +## Credit + +This issue was reported by Peter Stockli of Alphabot Security. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/proton/index.md ---------------------------------------------------------------------- diff --git a/input/proton/index.md b/input/proton/index.md index bc810d5..bb3e406 100644 --- a/input/proton/index.md +++ b/input/proton/index.md @@ -89,6 +89,7 @@ platform, environment, or language. More about ## Resources - [Security](security.html) + - [Security - Proton-J](security-j.html) - [Contributing to Proton](submitting-patches.html) - [Proton wiki pages](https://cwiki.apache.org/confluence/display/qpid/proton) http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/proton/security-j.md ---------------------------------------------------------------------- diff --git a/input/proton/security-j.md b/input/proton/security-j.md new file mode 100644 index 0000000..7925e16 --- /dev/null +++ b/input/proton/security-j.md @@ -0,0 +1,27 @@ +;; +;; Licensed to the Apache Software Foundation (ASF) under one +;; or more contributor license agreements. See the NOTICE file +;; distributed with this work for additional information +;; regarding copyright ownership. The ASF licenses this file +;; to you under the Apache License, Version 2.0 (the +;; "License"); you may not use this file except in compliance +;; with the License. You may obtain a copy of the License at +;; +;; http://www.apache.org/licenses/LICENSE-2.0 +;; +;; Unless required by applicable law or agreed to in writing, +;; software distributed under the License is distributed on an +;; "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +;; KIND, either express or implied. See the License for the +;; specific language governing permissions and limitations +;; under the License. +;; + +# Security - Proton-J + +| CVE-ID | Severity | Affected versions | Fixed versions | Summary | +| ------ | -------- | ----------------- | -------------- | ------- | +| [CVE-2018-17187]({{site_url}}/cves/CVE-2018-17187.html) | Important | 0.3 to 0.29.0 inclusive | 0.30.0 and later | Transport TLS wrapper hostname verification mode not implemented | + +See the main [Security]({{site_url}}/security.html) page for general +information and details for other components. http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/releases/qpid-proton-j-0.30.0/release-notes.md ---------------------------------------------------------------------- diff --git a/input/releases/qpid-proton-j-0.30.0/release-notes.md b/input/releases/qpid-proton-j-0.30.0/release-notes.md index 3d0cb9a..5df8957 100644 --- a/input/releases/qpid-proton-j-0.30.0/release-notes.md +++ b/input/releases/qpid-proton-j-0.30.0/release-notes.md @@ -25,6 +25,7 @@ about [Qpid Proton]({{site_url}}/proton/index.html). For more information about this release, including download links and documentation, see the [release overview](index.html). +**Note**: This release addresses security issue [CVE-2018-17187]({{site_url}}/cves/CVE-2018-17187.html), around hostname verification mode not being implemented in the optional transport TLS wrapper. Uses of proton-j not using this layer (e.g use within Qpid JMS) are not impacted. ## New features and improvements @@ -36,4 +37,5 @@ documentation, see the [release overview](index.html). ## Bugs fixed - [PROTON-1938](https://issues.apache.org/jira/browse/PROTON-1938) - misaligned Transport set/getErrorCondition and closed() behaviour - - [PROTON-1958](https://issues.apache.org/jira/browse/PROTON-1958) - incorrect ordering for reactor timer tasks with matching deadlines \ No newline at end of file + - [PROTON-1958](https://issues.apache.org/jira/browse/PROTON-1958) - incorrect ordering for reactor timer tasks with matching deadlines + - [PROTON-1962](https://issues.apache.org/jira/browse/PROTON-1962) - [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented http://git-wip-us.apache.org/repos/asf/qpid-site/blob/badac501/input/security.md ---------------------------------------------------------------------- diff --git a/input/security.md b/input/security.md index 5453ae9..bcd7427 100644 --- a/input/security.md +++ b/input/security.md @@ -39,6 +39,7 @@ Qpid components are detailed at: - [JMS client]({{site_url}}/components/jms/security.html) - [AMQP 0-x JMS client]({{site_url}}/components/jms/security-0-x.html) - [Proton]({{site_url}}/proton/security.html) + - [Proton-J]({{site_url}}/proton/security-j.html) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org For additional commands, e-mail: commits-help@qpid.apache.org