Vulnerability Details : CVE-2019-0223
While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.
Products affected by CVE-2019-0223
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.7:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:5.9:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:6.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:6.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:satellite:6.5:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.3:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:7.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_amq_clients_2:-:*:*:*:*:*:*:*
- cpe:2.3:a:apache:qpid:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-0223
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-0223
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST | |
7.4
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
2.2
|
5.2
|
NIST |
References for CVE-2019-0223
-
https://access.redhat.com/errata/RHSA-2019:2780
RHSA-2019:2780 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2782
RHSA-2019:2782 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00fcdeb1d5d6c0d@%3Ccommits.qpid.apache.org%3E
Pony Mail!Mailing List;Patch;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:0886
RHSA-2019:0886 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://issues.apache.org/jira/browse/PROTON-2014?page=com.atlassian.jira.plugin.system.issuetabpanels%3Aall-tabpanel
[PROTON-2014] [CVE-2019-0223] TLS Man in the Middle Vulnerability - ASF JIRAIssue Tracking;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:1399
RHSA-2019:1399 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1400
RHSA-2019:1400 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/d9c9a882a292e2defaed1f954528c916fb64497ce57db652727e39b0@%3Cannounce.apache.org%3E
[SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/49c83f0acce5ceaeffca51714ec2ba0f0199bcb8f99167181bba441b@%3Cdev.qpid.apache.org%3E
[jira] [Updated] (PROTON-2014) [CVE-2019-0223] TLS Man in the Middle Vulnerability - Pony MailMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:1398
RHSA-2019:1398 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/008ee5e78e5a090e1fcc5f6617f425e4e51d59f03d3eda2dd006df9f@%3Cusers.qpid.apache.org%3E
[SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability - Pony MailMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2781
RHSA-2019:2781 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2778
RHSA-2019:2778 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:2779
RHSA-2019:2779 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securityfocus.com/bid/108044
Apache Qpid Proton CVE-2019-0223 Man in the Middle Security Bypass VulnerabilityBroken Link
-
http://www.openwall.com/lists/oss-security/2019/04/23/4
oss-security - [SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle VulnerabilityMailing List;Third Party Advisory
-
https://lists.apache.org/thread.html/3adb2f020f705b4fd453982992a68cd10f9d5ac728b699efdb73c1f5@%3Cdev.qpid.apache.org%3E
[SECURITY] CVE-2019-0223: Apache Qpid Proton TLS Man in the Middle Vulnerability - Pony MailMailing List;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:2777
RHSA-2019:2777 - Security Advisory - Red Hat Customer PortalThird Party Advisory
Jump to