[
https://issues.apache.org/jira/browse/QPID-8499?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270787#comment-17270787
]
Ya Xiao commented on QPID-8499:
-------------------------------
Thank you so much for replying. We are a security research team at Virginia
Tech. We are doing an empirical study about the usefulness of the existing
security vulnerability detection tools. The reported one is what we got from
certain tools.
We'll so appreciate it if you can give us some information about the following
questions. Your feedback is important for us to help improve the
state-of-the-art.
# What kind of bug checker/vulnerability detection tools you are using? Do you
think they are helpful?
# Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to?
# What kind of supports do you expect from a useful bug detector? E.g.
Demonstration of exploits or some customized fixing suggestions?
> [Broker-J] Customized TrustManager bypasses certificate verification
> --------------------------------------------------------------------
>
> Key: QPID-8499
> URL: https://issues.apache.org/jira/browse/QPID-8499
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Ya Xiao
> Priority: Major
>
> We found a security vulnerability in file
> [qpid-broker-j/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java|https://github.com/apache/qpid-broker-j/blob/a70ed6f5edbcf0e8690447d48a1fe64e599cb703/broker-core/src/main/java/org/apache/qpid/server/security/SiteSpecificTrustStoreImpl.java].
> The customized TrustManger (at Line 339) allows all certificates to pass the
> verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to
> implement the certificate validation logic. Bypassing it could allow
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic
> instead of allowing all certificates. See
> [here|https://developer.android.com/training/articles/security-ssl] to
> securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
