cnvd - cnvd-2016-01908

cnvd-2016-01908

Vulnerability from cnvd

Title: Apache Qpid Proton python API明文传输漏洞

Description:

Apache Qpid是Apache软件基金会开发的一款面向对象的消息中间件，Proton python API是一个支持python语言并实现了AMQP 1.0协议的API。

Apache Qpid Proton python API 0.9版本至0.12.0版本中存在安全漏洞，该漏洞源于当SSL连接不可用时，程序会在未通知的情况下使用未加密的连接。攻击者可利用该漏洞在用户不知情的情况下使所有消息明文传输。

Severity: 中

Patch Name: Apache Qpid Proton python API明文传输漏洞的补丁

Patch Description:

Apache Qpid是Apache软件基金会开发的一款面向对象的消息中间件，Proton python API是一个支持python语言并实现了AMQP 1.0协议的API。

Apache Qpid Proton python API 0.9版本至0.12.0版本中存在安全漏洞，该漏洞源于当SSL连接不可用时，程序会在未通知的情况下使用未加密的连接。攻击者可利用该漏洞在用户不知情的情况下使所有消息明文传输。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下供应商提供的安全公告获得补丁信息： https://issues.apache.org/jira/browse/PROTON-1157

Reference: https://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html

Impacted products

Name
Apache Qpid Proton python API 0.9-0.12.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2016-2166"
    }
  },
  "description": "Apache Qpid\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u5f00\u53d1\u7684\u4e00\u6b3e\u9762\u5411\u5bf9\u8c61\u7684\u6d88\u606f\u4e2d\u95f4\u4ef6\uff0cProton python API\u662f\u4e00\u4e2a\u652f\u6301python\u8bed\u8a00\u5e76\u5b9e\u73b0\u4e86AMQP 1.0\u534f\u8bae\u7684API\u3002\r\n\r\nApache Qpid Proton python API 0.9\u7248\u672c\u81f30.12.0\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53SSL\u8fde\u63a5\u4e0d\u53ef\u7528\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u5728\u672a\u901a\u77e5\u7684\u60c5\u51b5\u4e0b\u4f7f\u7528\u672a\u52a0\u5bc6\u7684\u8fde\u63a5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u4e0d\u77e5\u60c5\u7684\u60c5\u51b5\u4e0b\u4f7f\u6240\u6709\u6d88\u606f\u660e\u6587\u4f20\u8f93\u3002",
  "discovererName": "M. Farrellee from Red Hat",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://issues.apache.org/jira/browse/PROTON-1157",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-01908",
  "openTime": "2016-03-29",
  "patchDescription": "Apache Qpid\u662fApache\u8f6f\u4ef6\u57fa\u91d1\u4f1a\u5f00\u53d1\u7684\u4e00\u6b3e\u9762\u5411\u5bf9\u8c61\u7684\u6d88\u606f\u4e2d\u95f4\u4ef6\uff0cProton python API\u662f\u4e00\u4e2a\u652f\u6301python\u8bed\u8a00\u5e76\u5b9e\u73b0\u4e86AMQP 1.0\u534f\u8bae\u7684API\u3002\r\n\r\n\r\nApache Qpid Proton python API 0.9\u7248\u672c\u81f30.12.0\u7248\u672c\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5f53SSL\u8fde\u63a5\u4e0d\u53ef\u7528\u65f6\uff0c\u7a0b\u5e8f\u4f1a\u5728\u672a\u901a\u77e5\u7684\u60c5\u51b5\u4e0b\u4f7f\u7528\u672a\u52a0\u5bc6\u7684\u8fde\u63a5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7528\u6237\u4e0d\u77e5\u60c5\u7684\u60c5\u51b5\u4e0b\u4f7f\u6240\u6709\u6d88\u606f\u660e\u6587\u4f20\u8f93\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Qpid Proton python API\u660e\u6587\u4f20\u8f93\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Qpid Proton python API 0.9-0.12.0"
  },
  "referenceLink": "https://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html",
  "serverity": "\u4e2d",
  "submitTime": "2016-03-26",
  "title": "Apache Qpid Proton python API\u660e\u6587\u4f20\u8f93\u6f0f\u6d1e"
}

CVE-2016-2166 (GCVE-0-2016-2166)

Vulnerability from cvelistv5

Published

2016-04-12 14:00

Modified

2024-08-05 23:17

Severity ?

CWE

Summary

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.

References

▼	URL	Tags
	https://issues.apache.org/jira/browse/PROTON-1157	x_refsource_CONFIRM
	http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html	x_refsource_MISC
	http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html	vendor-advisory, x_refsource_FEDORA
	https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585	x_refsource_CONFIRM
	http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html	x_refsource_CONFIRM
	http://www.securityfocus.com/archive/1/537864/100/0/threaded	mailing-list, x_refsource_BUGTRAQ
	https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T23:17:50.750Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://issues.apache.org/jira/browse/PROTON-1157"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html"
          },
          {
            "name": "FEDORA-2016-e6e8436b98",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html"
          },
          {
            "name": "20160323 CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for \u0027amqps\u0027 if SSL/TLS not supported",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/537864/100/0/threaded"
          },
          {
            "name": "[qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2016-03-23T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-04-23T11:06:04",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://issues.apache.org/jira/browse/PROTON-1157"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html"
        },
        {
          "name": "FEDORA-2016-e6e8436b98",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html"
        },
        {
          "name": "20160323 CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for \u0027amqps\u0027 if SSL/TLS not supported",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/537864/100/0/threaded"
        },
        {
          "name": "[qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2016-2166",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://issues.apache.org/jira/browse/PROTON-1157",
              "refsource": "CONFIRM",
              "url": "https://issues.apache.org/jira/browse/PROTON-1157"
            },
            {
              "name": "http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html"
            },
            {
              "name": "FEDORA-2016-e6e8436b98",
              "refsource": "FEDORA",
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html"
            },
            {
              "name": "https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585",
              "refsource": "CONFIRM",
              "url": "https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585"
            },
            {
              "name": "http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html",
              "refsource": "CONFIRM",
              "url": "http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html"
            },
            {
              "name": "20160323 CVE-2016-2166: Apache Qpid Proton python binding silently ignores request for \u0027amqps\u0027 if SSL/TLS not supported",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/537864/100/0/threaded"
            },
            {
              "name": "[qpid-commits] 20190423 [qpid-site] branch asf-site updated: update site content for CVE-2019-0223",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2016-2166",
    "datePublished": "2016-04-12T14:00:00",
    "dateReserved": "2016-01-29T00:00:00",
    "dateUpdated": "2024-08-05T23:17:50.750Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted