> So for Node.js users, they must upgrade the C++ > client to the proper version.
Thanks for highlighting this Yunze. That is my understanding as well. I'll update the node documentation accordingly. - Michael On Thu, Nov 3, 2022 at 11:42 PM Yunze Xu <y...@streamnative.io.invalid> wrote: > > Hi Michael, > > Thanks for your explanation. I think now we can mark #16064 [1] as the > fix to the CVE. > > In addition, the Apache Node.js client [2] is also based on the C++ > client. I'm not familiar > with how to install the Node.js client at the moment. It looks like it > requires a pre-installation > of the C++ client. So for Node.js users, they must upgrade the C++ > client to the proper version. > > [1] https://github.com/apache/pulsar/pull/16064 > [2] https://github.com/apache/pulsar-client-node > > Thanks, > Yunze > > > On Fri, Nov 4, 2022 at 2:40 AM Michael Marshall <mmarsh...@apache.org> wrote: > > > > Severity: high > > > > Description: > > > > The Apache Pulsar C++ Client does not verify peer TLS certificates when > > making HTTPS calls for the OAuth2.0 Client Credential Flow, even when > > tlsAllowInsecureConnection is disabled via configuration. This > > vulnerability allows an attacker to perform a man in the middle attack and > > intercept and/or modify the GET request that is sent to the > > ClientCredentialFlow 'issuer url'. The intercepted credentials can be used > > to acquire authentication data from the OAuth2.0 server to then > > authenticate with an Apache Pulsar cluster. > > > > An attacker can only take advantage of this vulnerability by taking control > > of a machine 'between' the client and the server. The attacker must then > > actively manipulate traffic to perform the attack. > > > > The Apache Pulsar Python Client wraps the C++ client, so it is also > > vulnerable in the same way. > > > > This issue affects Apache Pulsar C++ Client and Python Client versions > > 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and > > earlier. > > > > Mitigation: > > > > Any users running affected versions of the C++ Client or the Python Client > > should rotate vulnerable OAuth2.0 credentials, including client_id and > > client_secret. > > > > 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate > > vulnerable OAuth2.0 credentials. > > 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate > > vulnerable OAuth2.0 credentials. > > 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate > > vulnerable OAuth2.0 credentials. > > 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate > > vulnerable OAuth2.0 credentials. > > 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected > > when it is released. > > Any users running the C++ and Python Client for 2.6 or less should upgrade > > to one of the above patched versions. > > > > Credit: > > > > This issue was discovered by Michael Rowley, michaellrow...@protonmail.com > >
