CVE-2016-2166: Infoleak
First published: Tue Apr 12 2016(Updated: )
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Red Hat Python-qpid-proton | <=0.12.0 | |
| Fedora | =23 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.html
- http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-Failure.html
- http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.html
- http://www.securityfocus.com/archive/1/537864/100/0/threaded
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git;h=a058585
- https://issues.apache.org/jira/browse/PROTON-1157
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2016-2166?
CVE-2016-2166 has been classified as a medium severity vulnerability due to its potential for man-in-the-middle attacks.
How do I fix CVE-2016-2166?
To fix CVE-2016-2166, upgrade Apache Qpid Proton to version 0.12.1 or later.
What software is affected by CVE-2016-2166?
CVE-2016-2166 affects Apache Qpid Proton versions prior to 0.12.1 and Fedora version 23.
What exploit does CVE-2016-2166 allow?
CVE-2016-2166 allows man-in-the-middle attackers to intercept and potentially alter unencrypted connections.
Which components are vulnerable in CVE-2016-2166?
The vulnerable components in CVE-2016-2166 are the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/references
- agent/author
- agent/first-publish-date
- agent/description
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/red hat python-qpid-proton
- version/red hat python-qpid-proton/0.12.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/23