The latest C++ client uses curl@7.85.0. The CURLOPT_SSL_VERIFYPEER and CURLOPT_SSL_VERIFYHOST are enabled, and it is strict.
https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html https://curl.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html Thanks, Zixuan Zixuan Liu <node...@gmail.com> 于2022年11月4日周五 11:28写道: > Good catch, watching! > > Michael Marshall <mmarsh...@apache.org> 于2022年11月4日周五 02:51写道: > >> Severity: high >> >> Description: >> >> The Apache Pulsar C++ Client does not verify peer TLS certificates when >> making HTTPS calls for the OAuth2.0 Client Credential Flow, even when >> tlsAllowInsecureConnection is disabled via configuration. This >> vulnerability allows an attacker to perform a man in the middle attack and >> intercept and/or modify the GET request that is sent to the >> ClientCredentialFlow 'issuer url'. The intercepted credentials can be used >> to acquire authentication data from the OAuth2.0 server to then >> authenticate with an Apache Pulsar cluster. >> >> An attacker can only take advantage of this vulnerability by taking >> control of a machine 'between' the client and the server. The attacker must >> then actively manipulate traffic to perform the attack. >> >> The Apache Pulsar Python Client wraps the C++ client, so it is also >> vulnerable in the same way. >> >> This issue affects Apache Pulsar C++ Client and Python Client versions >> 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and >> earlier. >> >> Mitigation: >> >> Any users running affected versions of the C++ Client or the Python >> Client should rotate vulnerable OAuth2.0 credentials, including client_id >> and client_secret. >> >> 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate >> vulnerable OAuth2.0 credentials. >> 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate >> vulnerable OAuth2.0 credentials. >> 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate >> vulnerable OAuth2.0 credentials. >> 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate >> vulnerable OAuth2.0 credentials. >> 3.0 C++ users are unaffected and 3.0 Python Client users will be >> unaffected when it is released. >> Any users running the C++ and Python Client for 2.6 or less should >> upgrade to one of the above patched versions. >> >> Credit: >> >> This issue was discovered by Michael Rowley, >> michaellrow...@protonmail.com >> >> References: >> >> https://lists.apache.org/thread/ky1ssskvkj00y36k7nys9b5gm5jjrzwv >> >
