rhsa-2019_1398
Vulnerability from csaf_redhat
Published
2019-06-06 15:52
Modified
2024-09-13 19:51
Summary
Red Hat Security Advisory: qpid-proton security update
Notes
Topic
An update for qpid-proton is now available for Red Hat OpenStack Platform
14 (Rocky).
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
Details
The AMQ Client enables connecting, sending, and receiving messages over the
AMQP 1.0 wire transport protocol.
This update provides various bug fixes and enhancements in addition to the
client package versions previously released on Red Hat Enterprise Linux 7.
Security Fix(es):
* qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for qpid-proton is now available for Red Hat OpenStack Platform\n14 (Rocky).\n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The AMQ Client enables connecting, sending, and receiving messages over the\nAMQP 1.0 wire transport protocol.\n\nThis update provides various bug fixes and enhancements in addition to the\nclient package versions previously released on Red Hat Enterprise Linux 7.\n\nSecurity Fix(es):\n\n* qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE \npage(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:1398",
"url": "https://access.redhat.com/errata/RHSA-2019:1398"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "1702439",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702439"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2019/rhsa-2019_1398.json"
}
],
"title": "Red Hat Security Advisory: qpid-proton security update",
"tracking": {
"current_release_date": "2024-09-13T19:51:24+00:00",
"generator": {
"date": "2024-09-13T19:51:24+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHSA-2019:1398",
"initial_release_date": "2019-06-06T15:52:32+00:00",
"revision_history": [
{
"date": "2019-06-06T15:52:32+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-06-06T15:52:32+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-13T19:51:24+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7",
"product": {
"name": "Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-14.0-OPTOOLS",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack-optools:14::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "qpid-proton-c-0:0.27.0-3.el7.x86_64",
"product": {
"name": "qpid-proton-c-0:0.27.0-3.el7.x86_64",
"product_id": "qpid-proton-c-0:0.27.0-3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/qpid-proton-c@0.27.0-3.el7?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64",
"product": {
"name": "qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64",
"product_id": "qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/qpid-proton-debuginfo@0.27.0-3.el7?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "qpid-proton-0:0.27.0-3.el7.src",
"product": {
"name": "qpid-proton-0:0.27.0-3.el7.src",
"product_id": "qpid-proton-0:0.27.0-3.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/qpid-proton@0.27.0-3.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "qpid-proton-0:0.27.0-3.el7.src as a component of Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-0:0.27.0-3.el7.src"
},
"product_reference": "qpid-proton-0:0.27.0-3.el7.src",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0-OPTOOLS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "qpid-proton-c-0:0.27.0-3.el7.x86_64 as a component of Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-c-0:0.27.0-3.el7.x86_64"
},
"product_reference": "qpid-proton-c-0:0.27.0-3.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0-OPTOOLS"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64 as a component of Red Hat OpenStack Platform 14.0 Operational Tools for RHEL 7",
"product_id": "7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64"
},
"product_reference": "qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64",
"relates_to_product_reference": "7Server-RH7-RHOS-14.0-OPTOOLS"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-0223",
"cwe": {
"id": "CWE-300",
"name": "Channel Accessible by Non-Endpoint"
},
"discovery_date": "2019-04-23T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1702439"
}
],
"notes": [
{
"category": "description",
"text": "A cryptographic weakness was discovered in qpid-proton\u0027s use of TLS. If the qpid-proton client was used without client certificates, it would accept an anonymous cipher offered by the server. A man-in-the-middle attacker could use this to silently intercept traffic that should have been encrypted.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "qpid-proton: TLS Man in the Middle Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat OpenStack Platform 14 (and its Operational Tools) is impacted by this flaw; other supported versions are not vulnerable.\n\nRed Hat Virtualization 4 uses qpid-proton for katello-agent, which always uses client certificate authentication.\n\nRed Hat Update Infrastructure 3 is impacted by this flaw, however in its default configuration client certificate authentication is used and qpidd service, which uses qpid-proton, cannot be reach from other machines.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-0:0.27.0-3.el7.src",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-c-0:0.27.0-3.el7.x86_64",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-0223"
},
{
"category": "external",
"summary": "RHBZ#1702439",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1702439"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-0223",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0223"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-0223",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0223"
},
{
"category": "external",
"summary": "https://qpid.apache.org/cves/CVE-2019-0223.html",
"url": "https://qpid.apache.org/cves/CVE-2019-0223.html"
}
],
"release_date": "2019-04-23T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "For details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-0:0.27.0-3.el7.src",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-c-0:0.27.0-3.el7.x86_64",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:1398"
},
{
"category": "workaround",
"details": "This attack will not work if client-certificate authentication is in place because anonymous ciphers would not then be available.\nAnother possible mitigation is to disable anonymous ciphers on clients.",
"product_ids": [
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-0:0.27.0-3.el7.src",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-c-0:0.27.0-3.el7.x86_64",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-0:0.27.0-3.el7.src",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-c-0:0.27.0-3.el7.x86_64",
"7Server-RH7-RHOS-14.0-OPTOOLS:qpid-proton-debuginfo-0:0.27.0-3.el7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "qpid-proton: TLS Man in the Middle Vulnerability"
}
]
}
Loading...