CVE-2019-0223

HIGH

Apache Qpid 0.9-0.27.0 - Unauthenticated TLS Peer Certificate Verification Bypass

Title source: llm

Description

While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

References (18)

Core 18

Core References

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b%40%3Cdev.qpid.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5%40%3Cdev.qpid.apache.org%3E

Mailing List, Third Party Advisory mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2019/04/23/4

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0%40%3Cannounce.apache.org%3E

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f%40%3Cusers.qpid.apache.org%3E

Issue Tracking, Vendor Advisory x_refsource_misc

https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel

Mailing List mailing-list x_refsource_mlist

https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E

Broken Link vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/108044

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:0886

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1399

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1400

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:1398

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2777

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2778

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2779

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2780

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2781

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:2782

Scores

CVSS v3 7.4

EPSS 0.0041

EPSS Percentile 61.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

Status published

Products (32)

apache/qpid 0.9 - 0.27.0

org.apache.qpid/proton-j 0.9 - 0.27.1Maven

redhat/enterprise_linux_desktop 6.0

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_eus 6.7

redhat/enterprise_linux_eus 7.2

redhat/enterprise_linux_eus 7.3

redhat/enterprise_linux_eus 7.4

redhat/enterprise_linux_eus 7.5

redhat/enterprise_linux_eus 7.6

... and 22 more

Published Apr 23, 2019

Tracked Since Feb 18, 2026