Main Vulnerability Database SB2016050202

SB2016050202 - Security restrictions bypass in Apache Qpid Proton Library

Published: May 2, 2016

Security Bulletin ID SB2016050202

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Security restrictions bypass (CVE-ID: CVE-2016-4467)

The vulnerability allows a remote attacker to bypass certificate validation on the target system.

The vulnerability exists due to authentication error in Apache Qpid Proton Library. The Proton C client and C-based client bindings on Windows-based systems improperly verify that the server host name matches the domain name in the certificate's Common Name (CN) or subjectAltName fields.

Applications that use the Proton C library for SSL/TLS authentication on Windows-based systems with the default SChannel-based security layer are affected.

Remediation

Install update from vendor's website.

References

http://qpid.apache.org/releases/qpid-proton-0.13.1/release-notes.html