Affects Version/s: None
Fix Version/s: None
We found a security vulnerability in file qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java. The customized TrustManger (at Line 339) allows all certificates to pass the verification.
The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
Solution we suggest:
Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See here to securely allow self-signed certificates and other common cases.
Please share with us your opinions/comments if there is any:
Is the bug report helpful?