Good catch, watching! Michael Marshall <mmarsh...@apache.org> 于2022年11月4日周五 02:51写道:
> Severity: high > > Description: > > The Apache Pulsar C++ Client does not verify peer TLS certificates when > making HTTPS calls for the OAuth2.0 Client Credential Flow, even when > tlsAllowInsecureConnection is disabled via configuration. This > vulnerability allows an attacker to perform a man in the middle attack and > intercept and/or modify the GET request that is sent to the > ClientCredentialFlow 'issuer url'. The intercepted credentials can be used > to acquire authentication data from the OAuth2.0 server to then > authenticate with an Apache Pulsar cluster. > > An attacker can only take advantage of this vulnerability by taking > control of a machine 'between' the client and the server. The attacker must > then actively manipulate traffic to perform the attack. > > The Apache Pulsar Python Client wraps the C++ client, so it is also > vulnerable in the same way. > > This issue affects Apache Pulsar C++ Client and Python Client versions > 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and > earlier. > > Mitigation: > > Any users running affected versions of the C++ Client or the Python Client > should rotate vulnerable OAuth2.0 credentials, including client_id and > client_secret. > > 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate > vulnerable OAuth2.0 credentials. > 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate > vulnerable OAuth2.0 credentials. > 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate > vulnerable OAuth2.0 credentials. > 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate > vulnerable OAuth2.0 credentials. > 3.0 C++ users are unaffected and 3.0 Python Client users will be > unaffected when it is released. > Any users running the C++ and Python Client for 2.6 or less should upgrade > to one of the above patched versions. > > Credit: > > This issue was discovered by Michael Rowley, michaellrow...@protonmail.com > > References: > > https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv >
