cnvd - cnvd-2023-02479

cnvd-2023-02479

Vulnerability from cnvd

Title: Apache Sling Commons Messaging Mail信任管理问题漏洞

Description:

Apache Sling Commons Messaging Mail是美国Apache基金会的一款开源消息传递邮件服务。

Apache Sling Commons Messaging Mail 1.0.0存在信任管理问题漏洞，该漏洞源于Apache Sling Commons Messaging Mail在JavaMail/Jakarta Mail之上为OSGi提供了一个简单的层，用于通过SMTPS发送邮件。为了降低中间人攻击的风险，在访问邮件服务器时必须执行额外的服务器身份检查。出于兼容性原因，JavaMail/Jakarta Mail中默认禁用这些附加检查。攻击者可利用该漏洞通过SimpleMessageBuilder创建消息访问会话并设置属性mail.smtps.ssl来启用这些检查。

Severity: 中

Patch Name: Apache Sling Commons Messaging Mail信任管理问题漏洞的补丁

Patch Description:

Apache Sling Commons Messaging Mail是美国Apache基金会的一款开源消息传递邮件服务。

Formal description:

厂商已发布了漏洞修复程序，请及时关注更新： https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f

Reference: https://nvd.nist.gov/vuln/detail/CVE-2021-44549

Impacted products

Name
Apache Apache Sling Commons Messaging Mail 1.0.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-44549",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549"
    }
  },
  "description": "Apache Sling Commons Messaging Mail\u662f\u7f8e\u56fdApache\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u6d88\u606f\u4f20\u9012\u90ae\u4ef6\u670d\u52a1\u3002\n\nApache Sling Commons Messaging Mail 1.0.0\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Sling Commons Messaging Mail\u5728JavaMail/Jakarta Mail\u4e4b\u4e0a\u4e3aOSGi\u63d0\u4f9b\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u5c42\uff0c\u7528\u4e8e\u901a\u8fc7SMTPS\u53d1\u9001\u90ae\u4ef6\u3002\u4e3a\u4e86\u964d\u4f4e\u4e2d\u95f4\u4eba\u653b\u51fb\u7684\u98ce\u9669\uff0c\u5728\u8bbf\u95ee\u90ae\u4ef6\u670d\u52a1\u5668\u65f6\u5fc5\u987b\u6267\u884c\u989d\u5916\u7684\u670d\u52a1\u5668\u8eab\u4efd\u68c0\u67e5\u3002\u51fa\u4e8e\u517c\u5bb9\u6027\u539f\u56e0\uff0cJavaMail/Jakarta Mail\u4e2d\u9ed8\u8ba4\u7981\u7528\u8fd9\u4e9b\u9644\u52a0\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7SimpleMessageBuilder\u521b\u5efa\u6d88\u606f\u8bbf\u95ee\u4f1a\u8bdd\u5e76\u8bbe\u7f6e\u5c5e\u6027mail.smtps.ssl\u6765\u542f\u7528\u8fd9\u4e9b\u68c0\u67e5\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-02479",
  "openTime": "2023-01-12",
  "patchDescription": "Apache Sling Commons Messaging Mail\u662f\u7f8e\u56fdApache\u57fa\u91d1\u4f1a\u7684\u4e00\u6b3e\u5f00\u6e90\u6d88\u606f\u4f20\u9012\u90ae\u4ef6\u670d\u52a1\u3002\r\n\r\nApache Sling Commons Messaging Mail 1.0.0\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eApache Sling Commons Messaging Mail\u5728JavaMail/Jakarta Mail\u4e4b\u4e0a\u4e3aOSGi\u63d0\u4f9b\u4e86\u4e00\u4e2a\u7b80\u5355\u7684\u5c42\uff0c\u7528\u4e8e\u901a\u8fc7SMTPS\u53d1\u9001\u90ae\u4ef6\u3002\u4e3a\u4e86\u964d\u4f4e\u4e2d\u95f4\u4eba\u653b\u51fb\u7684\u98ce\u9669\uff0c\u5728\u8bbf\u95ee\u90ae\u4ef6\u670d\u52a1\u5668\u65f6\u5fc5\u987b\u6267\u884c\u989d\u5916\u7684\u670d\u52a1\u5668\u8eab\u4efd\u68c0\u67e5\u3002\u51fa\u4e8e\u517c\u5bb9\u6027\u539f\u56e0\uff0cJavaMail/Jakarta Mail\u4e2d\u9ed8\u8ba4\u7981\u7528\u8fd9\u4e9b\u9644\u52a0\u68c0\u67e5\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7SimpleMessageBuilder\u521b\u5efa\u6d88\u606f\u8bbf\u95ee\u4f1a\u8bdd\u5e76\u8bbe\u7f6e\u5c5e\u6027mail.smtps.ssl\u6765\u542f\u7528\u8fd9\u4e9b\u68c0\u67e5\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Sling Commons Messaging Mail\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Apache Apache Sling Commons Messaging Mail 1.0.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-44549",
  "serverity": "\u4e2d",
  "submitTime": "2021-12-23",
  "title": "Apache Sling Commons Messaging Mail\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e"
}

CVE-2021-44549 (GCVE-0-2021-44549)

Vulnerability from cvelistv5

Published

2021-12-14 15:15

Modified

2024-08-04 04:25

Severity ?

CWE

CWE-295 - Improper Certificate Validation, CWE-297: Improper Validation of Certificate with Host Mismatch

Summary

Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of "man in the middle" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429

References

▼	URL	Tags
	https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Sling Commons Messaging Mail	Version: Apache Sling Commons Messaging Mail 1.0.0 1.0.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:25:16.815Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Sling Commons Messaging Mail",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Sling Commons Messaging Mail 1.0.0 1.0.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The issue was reported by Michael Lescisin."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of \"man in the middle\" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429"
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "low"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295: Improper Certificate Validation, CWE-297: Improper Validation of Certificate with Host Mismatch",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-12-14T15:15:10",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "SMTPS server hostname not checked when making TLS connection to SMTPS server",
      "workarounds": [
        {
          "lang": "en",
          "value": "Set the property mail.smtps.ssl.checkserveridentity to true via message\u0027s session."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2021-44549",
          "STATE": "PUBLIC",
          "TITLE": "SMTPS server hostname not checked when making TLS connection to SMTPS server"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Sling Commons Messaging Mail",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "=",
                            "version_name": "Apache Sling Commons Messaging Mail 1.0.0",
                            "version_value": "1.0.0"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "The issue was reported by Michael Lescisin."
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Apache Sling Commons Messaging Mail provides a simple layer on top of JavaMail/Jakarta Mail for OSGi to send mails via SMTPS. To reduce the risk of \"man in the middle\" attacks additional server identity checks must be performed when accessing mail servers. For compatibility reasons these additional checks are disabled by default in JavaMail/Jakarta Mail. The SimpleMailService in Apache Sling Commons Messaging Mail 1.0 lacks an option to enable these checks for the shared mail session. A user could enable these checks nevertheless by accessing the session via the message created by SimpleMessageBuilder and setting the property mail.smtps.ssl.checkserveridentity to true. Apache Sling Commons Messaging Mail 2.0 adds support for enabling server identity checks and these checks are enabled by default. - https://javaee.github.io/javamail/docs/SSLNOTES.txt - https://javaee.github.io/javamail/docs/api/com/sun/mail/smtp/package-summary.html - https://github.com/eclipse-ee4j/mail/issues/429"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": [
          {
            "other": "low"
          }
        ],
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-295: Improper Certificate Validation, CWE-297: Improper Validation of Certificate with Host Mismatch"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread/l8p9h2bqvkj6rhv4w8kzctb817415b7f"
            }
          ]
        },
        "source": {
          "discovery": "UNKNOWN"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Set the property mail.smtps.ssl.checkserveridentity to true via message\u0027s session."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2021-44549",
    "datePublished": "2021-12-14T15:15:10",
    "dateReserved": "2021-12-04T00:00:00",
    "dateUpdated": "2024-08-04T04:25:16.815Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted