Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8499

[Broker-J] Customized TrustManager bypasses certificate verification

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Broker-J
    • Labels:
      None

      Description

      We found a security vulnerability in file qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java. The customized TrustManger (at Line 339) allows all certificates to pass the verification.

      Security Impact:

      The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.

      Useful Resources:

      https://cwe.mitre.org/data/definitions/295.html

      https://developer.android.com/training/articles/security-ssl

      Solution we suggest:

      Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.

      Please share with us your opinions/comments if there is any:

      Is the bug report helpful?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              yaxiao Ya Xiao
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: