CVE-2016-2166

Severity

Moderate

Affected components

Qpid Proton

Affected versions

0.9 through 0.12.0 inclusive

Fixed versions

0.12.1 and later

Description

Python bindings silently ignore request for amqps if SSL/TLS not supported.

Messaging applications using the Proton Python API to provision an SSL/TLS encrypted TCP connection may actually instantiate a non-encrypted connection without notice if SSL support is unavailable. This will result in all messages being sent in the clear without the knowledge of the user.

This issue affects those applications that use the Proton Reactor Python API to create SSL/TLS connections. Specifically the proton.reactor.Connector, proton.reactor.Container, and proton.utils.BlockingConnection classes are vulnerable. These classes can create an unencrypted connections if the "amqps://" URL prefix is used.

The issue only occurs if the installed Proton libraries do not support SSL. This would be the case if the libraries were built without SSL support or the necessary SSL libraries are not present on the system (e.g. OpenSSL in the case of *nix).

To check whether or not the Python API provides SSL support, use the following console command:

python -c "import proton; print('%s' % 'SSL present' if proton.SSL.present() else 'SSL NOT AVAILBLE')"

In addition, the issue can only occur if both ends of the connection connect without SSL. This would be the case if the vulnerability is active on both ends of the connection, or the non-affected endpoint allows cleartext connections.

Resolution

Proton release 0.12.1 resolves this issue by raising an SSLUnavailable exception when SSL is not available and a SSL/TLS connection is requested via the "amqps://" URL prefix.

A patch is also available.

Credit

This issue was discovered by M. Farrellee from Red Hat.

References

PROTON-1157

---

• Apache
• License
• Sponsorship
• Thanks!
• Security

Apache Qpid, Messaging built on AMQP; Copyright © 2015 The Apache Software Foundation; Licensed under the Apache License, Version 2.0; Apache Qpid, Qpid, Qpid Proton, Proton, Apache, the Apache feather logo, and the Apache Qpid project logo are trademarks of The Apache Software Foundation; All other marks mentioned may be trademarks or registered trademarks of their respective owners