CVE-2019-0223
First published: Tue Apr 23 2019(Updated: )
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/qpid-proton | <0.27.1 | 0.27.1 |
| Apache Qpid | >=0.9<=0.27.0 | |
| Red Hat JBoss AMQ Clients | ||
| Red Hat Linux | =6.0 | |
| Red Hat Linux | =7.0 | |
| redhat openstack | =13 | |
| redhat openstack | =14 | |
| redhat satellite | =6.3 | |
| redhat satellite | =6.4 | |
| redhat satellite | =6.5 | |
| redhat enterprise Linux desktop | =6.0 | |
| redhat enterprise Linux desktop | =7.0 | |
| redhat enterprise Linux eus | =6.7 | |
| redhat enterprise Linux eus | =7.2 | |
| redhat enterprise Linux eus | =7.3 | |
| redhat enterprise Linux eus | =7.4 | |
| redhat enterprise Linux eus | =7.5 | |
| redhat enterprise Linux eus | =7.6 | |
| redhat enterprise Linux server | =6.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux server aus | =5.9 | |
| redhat enterprise Linux server aus | =6.4 | |
| redhat enterprise Linux server aus | =6.5 | |
| redhat enterprise Linux server aus | =6.6 | |
| redhat enterprise Linux server aus | =7.2 | |
| redhat enterprise Linux server aus | =7.3 | |
| redhat enterprise Linux server aus | =7.4 | |
| redhat enterprise Linux server aus | =7.6 | |
| redhat enterprise Linux server tus | =7.2 | |
| redhat enterprise Linux server tus | =7.3 | |
| redhat enterprise Linux server tus | =7.4 | |
| redhat enterprise Linux server tus | =7.6 | |
| redhat enterprise Linux workstation | =6.0 | |
| redhat enterprise Linux workstation | =7.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2019/04/23/4
- http://www.securityfocus.com/bid/108044
- https://access.redhat.com/errata/RHSA-2019:0886
- https://access.redhat.com/errata/RHSA-2019:1398
- https://access.redhat.com/errata/RHSA-2019:1399
- https://access.redhat.com/errata/RHSA-2019:1400
- https://access.redhat.com/errata/RHSA-2019:2777
- https://access.redhat.com/errata/RHSA-2019:2778
- https://access.redhat.com/errata/RHSA-2019:2779
- https://access.redhat.com/errata/RHSA-2019:2780
- https://access.redhat.com/errata/RHSA-2019:2781
- https://access.redhat.com/errata/RHSA-2019:2782
- https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
- https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E
- https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E
- https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
- https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E
- https://issues.apache.org/jira/browse/PROTON-2014
- https://qpid.apache.org/cves/CVE-2019-0223.html
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=97c7733
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=159fac1
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=4aea0fd
- https://gitbox.apache.org/repos/asf?p=qpid-proton.git;h=2d3ba8a
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1702440
- https://access.redhat.com/support/policy/updates/openstack/platform/
- https://github.com/apache/qpid-proton/commit/4aea0fd8502f5e9af7f22fd60645eeec07bce0b2
- https://github.com/apache/qpid-proton/commit/159fac1f90d9b1ace1138d510176e7a5da54e9e9
- https://access.redhat.com/support/policy/updates/jboss_notes
- https://bugzilla.redhat.com/show_bug.cgi?id=1702439
- https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b%40%3Cdev.qpid.apache.org%3E
- https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5%40%3Cdev.qpid.apache.org%3E
- https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0%40%3Cannounce.apache.org%3E
- https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f%40%3Cusers.qpid.apache.org%3E
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d%40%3Ccommits.qpid.apache.org%3E
Frequently Asked Questions
What is the severity of CVE-2019-0223?
CVE-2019-0223 has been classified as a medium severity vulnerability.
How do I fix CVE-2019-0223?
To fix CVE-2019-0223, upgrade to Apache Qpid Proton version 0.27.1 or later.
What are the affected versions for CVE-2019-0223?
CVE-2019-0223 affects Apache Qpid Proton versions from 0.9 to 0.27.0.
Is OpenSSL involved in CVE-2019-0223?
Yes, CVE-2019-0223 occurs when using Apache Qpid Proton with OpenSSL versions prior to 1.
What kind of vulnerability is CVE-2019-0223?
CVE-2019-0223 is a TLS-related vulnerability that allows anonymous connections despite peer certificate verification being configured.
- agent/type
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-0223
- agent/software-canonical-lookup
- agent/severity
- agent/remedy
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/first-publish-date
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/apache
- canonical/apache qpid
- version/apache qpid/0.9
- version/apache qpid/0.27.0
- vendor/redhat
- canonical/red hat jboss amq clients
- canonical/red hat linux
- version/red hat linux/6.0
- version/red hat linux/7.0
- canonical/redhat openstack
- version/redhat openstack/13
- version/redhat openstack/14
- canonical/redhat satellite
- version/redhat satellite/6.3
- version/redhat satellite/6.4
- version/redhat satellite/6.5
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/6.0
- version/redhat enterprise linux desktop/7.0
- canonical/redhat enterprise linux eus
- version/redhat enterprise linux eus/6.7
- version/redhat enterprise linux eus/7.2
- version/redhat enterprise linux eus/7.3
- version/redhat enterprise linux eus/7.4
- version/redhat enterprise linux eus/7.5
- version/redhat enterprise linux eus/7.6
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/6.0
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux server aus
- version/redhat enterprise linux server aus/5.9
- version/redhat enterprise linux server aus/6.4
- version/redhat enterprise linux server aus/6.5
- version/redhat enterprise linux server aus/6.6
- version/redhat enterprise linux server aus/7.2
- version/redhat enterprise linux server aus/7.3
- version/redhat enterprise linux server aus/7.4
- version/redhat enterprise linux server aus/7.6
- canonical/redhat enterprise linux server tus
- version/redhat enterprise linux server tus/7.2
- version/redhat enterprise linux server tus/7.3
- version/redhat enterprise linux server tus/7.4
- version/redhat enterprise linux server tus/7.6
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/6.0
- version/redhat enterprise linux workstation/7.0