[IGNITE-14004] Customized TrustManager bypasses certificate verification - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Critical
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: None
Component/s: clients, control.sh, security
Labels:
- security

Description

We found a security vulnerability in file ignite/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java. The customized TrustManger (at Line 502) allows all certificates to pass the verification.

Security Impact:

The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.

Useful Resources:

https://cwe.mitre.org/data/definitions/295.html

https://developer.android.com/training/articles/security-ssl

Solution we suggest:

Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.

Please share with us your opinions/comments if there is any:

Is the bug report helpful?

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ya Xiao

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Jan/21 00:10

Updated:: 24/Jan/21 01:28