Impact: Important Public Date: 2019-04-23 CWE: CWE-295->CWE-300 Bugzilla: 1702439: CVE-2019-0223 qpid-proton: TLS Man in the Middle Vulnerability While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2019-0223 from the MITRE CVE dictionary dictionary and NIST NVD.
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
CVSS3 Base Score | 7.4 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
Attack Vector | Network |
Attack Complexity | High |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | High |
Availability Impact | None |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | qpid-proton | Under investigation |
Red Hat Satellite 6 | qpid-proton | Under investigation |
Red Hat OpenStack Platform Operational Tools 14 | qpid-proton | Under investigation |
Red Hat OpenStack Platform 8.0 (Liberty) | qpid-proton | Under investigation |
Red Hat OpenStack Platform 14.0 (Rocky) | qpid-proton | Under investigation |
Red Hat OpenShift Application Runtimes 1.0 | vertx | Under investigation |
Red Hat JBoss Fuse 7 | proton-j | Under investigation |
Red Hat JBoss Fuse 6 | proton-j | Under investigation |
Red Hat JBoss A-MQ 7 | proton-j | Under investigation |
Red Hat JBoss A-MQ 7 | qpid-proton | Under investigation |
Red Hat JBoss A-MQ 6 | proton-j | Under investigation |
Red Hat Enterprise MRG 3 | qpid-proton | Under investigation |
Red Hat Enterprise MRG 3 | qpid-proton-java | Under investigation |
Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 | qpid-proton | Under investigation |