Hi Michael, Thanks for your explanation. I think now we can mark #16064 [1] as the fix to the CVE.
In addition, the Apache Node.js client [2] is also based on the C++ client. I'm not familiar with how to install the Node.js client at the moment. It looks like it requires a pre-installation of the C++ client. So for Node.js users, they must upgrade the C++ client to the proper version. [1] https://github.com/apache/pulsar/pull/16064 [2] https://github.com/apache/pulsar-client-node Thanks, Yunze On Fri, Nov 4, 2022 at 2:40 AM Michael Marshall <mmarsh...@apache.org> wrote: > > Severity: high > > Description: > > The Apache Pulsar C++ Client does not verify peer TLS certificates when > making HTTPS calls for the OAuth2.0 Client Credential Flow, even when > tlsAllowInsecureConnection is disabled via configuration. This vulnerability > allows an attacker to perform a man in the middle attack and intercept and/or > modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. > The intercepted credentials can be used to acquire authentication data from > the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. > > An attacker can only take advantage of this vulnerability by taking control > of a machine 'between' the client and the server. The attacker must then > actively manipulate traffic to perform the attack. > > The Apache Pulsar Python Client wraps the C++ client, so it is also > vulnerable in the same way. > > This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 > to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. > > Mitigation: > > Any users running affected versions of the C++ Client or the Python Client > should rotate vulnerable OAuth2.0 credentials, including client_id and > client_secret. > > 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable > OAuth2.0 credentials. > 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable > OAuth2.0 credentials. > 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable > OAuth2.0 credentials. > 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate > vulnerable OAuth2.0 credentials. > 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected > when it is released. > Any users running the C++ and Python Client for 2.6 or less should upgrade to > one of the above patched versions. > > Credit: > > This issue was discovered by Michael Rowley, michaellrow...@protonmail.com >
