[QPID-8499] [Broker-J] Customized TrustManager bypasses certificate verification - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: None
Component/s: Broker-J
Labels:
None

Description

We found a security vulnerability in file qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java. The customized TrustManger (at Line 339) allows all certificates to pass the verification.

Security Impact:

The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.

Useful Resources:

https://cwe.mitre.org/data/definitions/295.html

https://developer.android.com/training/articles/security-ssl

Solution we suggest:

Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.

Please share with us your opinions/comments if there is any:

Is the bug report helpful?

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ya Xiao

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 17/Jan/21 00:19

Updated:: 31/Mar/21 00:05

Resolved:: 01/Feb/21 22:25