cnvd - cnvd-2022-83591

CNVD-2022-83591

Vulnerability from cnvd - Published: 2022-12-01

Title

Apache Pulsar信任管理问题漏洞（CNVD-2022-83591）

Description

Apache Pulsar是美国阿帕奇（Apache）基金会的一个用于云环境种，集消息、存储、轻量化函数式计算为一体的分布式消息流平台。该软件支持多租户、持久化存储、多机房跨区域数据复制，具有强一致性、高吞吐以及低延时的高可扩展流数据存储特性。 Apache Pulsar存在信任管理问题漏洞，该漏洞源于对OAuth2.0客户端凭据流进行HTTPS调用时不会验证对等TLS证书，攻击者可利用该漏洞执行中间人攻击并拦截和/或修改发送的GET请求，截获的凭据可用于从OAuth2.0服务器获取身份验证数据，然后使用Apache Pulsar集群进行身份验证。

Severity

高

Patch Name

Apache Pulsar信任管理问题漏洞（CNVD-2022-83591）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv

Reference

https://cxsecurity.com/cveshow/CVE-2022-33684/

Impacted products

Name
['Apache Pulsar <=2.6.4', 'Apache Pulsar >=2.8.0，<2.8.4', 'Apache Pulsar >=2.9.0，<2.9.3', 'Apache Pulsar >=2.7.0，<2.7.5', 'Apache Pulsar >=2.10.0，<2.10.2']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2022-33684"
    }
  },
  "description": "Apache Pulsar\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7528\u4e8e\u4e91\u73af\u5883\u79cd\uff0c\u96c6\u6d88\u606f\u3001\u5b58\u50a8\u3001\u8f7b\u91cf\u5316\u51fd\u6570\u5f0f\u8ba1\u7b97\u4e3a\u4e00\u4f53\u7684\u5206\u5e03\u5f0f\u6d88\u606f\u6d41\u5e73\u53f0\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u591a\u79df\u6237\u3001\u6301\u4e45\u5316\u5b58\u50a8\u3001\u591a\u673a\u623f\u8de8\u533a\u57df\u6570\u636e\u590d\u5236\uff0c\u5177\u6709\u5f3a\u4e00\u81f4\u6027\u3001\u9ad8\u541e\u5410\u4ee5\u53ca\u4f4e\u5ef6\u65f6\u7684\u9ad8\u53ef\u6269\u5c55\u6d41\u6570\u636e\u5b58\u50a8\u7279\u6027\u3002\n\nApache Pulsar\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9OAuth2.0\u5ba2\u6237\u7aef\u51ed\u636e\u6d41\u8fdb\u884cHTTPS\u8c03\u7528\u65f6\u4e0d\u4f1a\u9a8c\u8bc1\u5bf9\u7b49TLS\u8bc1\u4e66\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\u5e76\u62e6\u622a\u548c/\u6216\u4fee\u6539\u53d1\u9001\u7684GET\u8bf7\u6c42\uff0c\u622a\u83b7\u7684\u51ed\u636e\u53ef\u7528\u4e8e\u4eceOAuth2.0\u670d\u52a1\u5668\u83b7\u53d6\u8eab\u4efd\u9a8c\u8bc1\u6570\u636e\uff0c\u7136\u540e\u4f7f\u7528Apache Pulsar\u96c6\u7fa4\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-83591",
  "openTime": "2022-12-01",
  "patchDescription": "Apache Pulsar\u662f\u7f8e\u56fd\u963f\u5e15\u5947\uff08Apache\uff09\u57fa\u91d1\u4f1a\u7684\u4e00\u4e2a\u7528\u4e8e\u4e91\u73af\u5883\u79cd\uff0c\u96c6\u6d88\u606f\u3001\u5b58\u50a8\u3001\u8f7b\u91cf\u5316\u51fd\u6570\u5f0f\u8ba1\u7b97\u4e3a\u4e00\u4f53\u7684\u5206\u5e03\u5f0f\u6d88\u606f\u6d41\u5e73\u53f0\u3002\u8be5\u8f6f\u4ef6\u652f\u6301\u591a\u79df\u6237\u3001\u6301\u4e45\u5316\u5b58\u50a8\u3001\u591a\u673a\u623f\u8de8\u533a\u57df\u6570\u636e\u590d\u5236\uff0c\u5177\u6709\u5f3a\u4e00\u81f4\u6027\u3001\u9ad8\u541e\u5410\u4ee5\u53ca\u4f4e\u5ef6\u65f6\u7684\u9ad8\u53ef\u6269\u5c55\u6d41\u6570\u636e\u5b58\u50a8\u7279\u6027\u3002\r\n\r\nApache Pulsar\u5b58\u5728\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9OAuth2.0\u5ba2\u6237\u7aef\u51ed\u636e\u6d41\u8fdb\u884cHTTPS\u8c03\u7528\u65f6\u4e0d\u4f1a\u9a8c\u8bc1\u5bf9\u7b49TLS\u8bc1\u4e66\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4e2d\u95f4\u4eba\u653b\u51fb\u5e76\u62e6\u622a\u548c/\u6216\u4fee\u6539\u53d1\u9001\u7684GET\u8bf7\u6c42\uff0c\u622a\u83b7\u7684\u51ed\u636e\u53ef\u7528\u4e8e\u4eceOAuth2.0\u670d\u52a1\u5668\u83b7\u53d6\u8eab\u4efd\u9a8c\u8bc1\u6570\u636e\uff0c\u7136\u540e\u4f7f\u7528Apache Pulsar\u96c6\u7fa4\u8fdb\u884c\u8eab\u4efd\u9a8c\u8bc1\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Apache Pulsar\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-83591\uff09\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Apache Pulsar \u003c=2.6.4",
      "Apache Pulsar \u003e=2.8.0\uff0c\u003c2.8.4",
      "Apache Pulsar \u003e=2.9.0\uff0c\u003c2.9.3",
      "Apache Pulsar \u003e=2.7.0\uff0c\u003c2.7.5",
      "Apache Pulsar \u003e=2.10.0\uff0c\u003c2.10.2"
    ]
  },
  "referenceLink": "https://cxsecurity.com/cveshow/CVE-2022-33684/",
  "serverity": "\u9ad8",
  "submitTime": "2022-11-08",
  "title": "Apache Pulsar\u4fe1\u4efb\u7ba1\u7406\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2022-83591\uff09"
}

CVE-2022-33684 (GCVE-0-2022-33684)

Vulnerability from cvelistv5 – Published: 2022-11-04 00:00 – Updated: 2025-05-02 18:58

Title

Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation

Summary

The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.

Severity ?

No CVSS data available.

CWE

CWE-295 - Improper Certificate Validation

Assigner

apache

References

URL

Tags

	https://lists.apache.org/thread/ky1ssskvkj00y36k7…
	https://huntr.dev/bounties/df89b724-3201-47aa-b8c…

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Pulsar	Affected: 2.7 , ≤ 2.7.4 (custom) Affected: 2.8 , ≤ 2.8.3 (custom) Affected: 2.9 , ≤ 2.9.2 (custom) Affected: 2.10 , ≤ 2.10.1 (custom) Affected: 2.6 and earlier , ≤ 2.6.4 (custom) Unaffected: 3.0.0 , < 3.0* (custom)

Credits

This issue was discovered by Michael Rowley, michaellrowley@protonmail.com

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T08:09:22.308Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 8.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-33684",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-02T18:56:43.494236Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-295",
                "description": "CWE-295 Improper Certificate Validation",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-02T18:58:10.037Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Pulsar",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "2.7.4",
              "status": "affected",
              "version": "2.7",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.8.3",
              "status": "affected",
              "version": "2.8",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.9.2",
              "status": "affected",
              "version": "2.9",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.10.1",
              "status": "affected",
              "version": "2.10",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "2.6.4",
              "status": "affected",
              "version": "2.6 and earlier",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0*",
              "status": "unaffected",
              "version": "3.0.0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "This issue was discovered by Michael Rowley, michaellrowley@protonmail.com"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow \u0027issuer url\u0027. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine \u0027between\u0027 the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "other": "high"
            },
            "type": "unknown"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-295",
              "description": "CWE-295 Improper Certificate Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-01-17T09:19:21.073Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "url": "https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv"
        },
        {
          "url": "https://huntr.dev/bounties/df89b724-3201-47aa-b8cd-282e112a566f"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Apache Pulsar C++/Python OAuth Clients prior to 3.0.0 were vulnerable to an MITM attack due to Disabled Certificate Validation",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2022-33684",
    "datePublished": "2022-11-04T00:00:00.000Z",
    "dateReserved": "2022-06-15T00:00:00.000Z",
    "dateUpdated": "2025-05-02T18:58:10.037Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-83591

CVE-2022-33684 (GCVE-0-2022-33684)

Tags

Sightings

Nomenclature