Advisories for Maven/Org.apache.qpid/Proton-J package

2019

Improper Certificate Validation

Under some circumstances Apache Qpid Proton versions (C library and its language bindings) can connect to a peer anonymously using TLS even when configured to verify the peer certificate while used with OpenSSL This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

2018

Improper Certificate Validation

The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the transport.ssl(…) methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed.

Exposure of Sensitive Information to an Unauthorized Actor

The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.