SB2022092246 - Multiple vulnerabilities in Apache Pulsar

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2022-33683)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. A remote attacker can perform MitM attack.

2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2022-33682)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client. A remote attacker can perform MitM attack.

3) Improper validation of certificate with host mismatch (CVE-ID: CVE-2022-33681)

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy. A remote attacker can perform MitM attack.

Remediation

Install update from vendor's website.

References

• https://seclists.org/oss-sec/2022/q3/228
• https://seclists.org/oss-sec/2022/q3/227
• https://seclists.org/oss-sec/2022/q3/226