CVE-2018-17187: Improper Certificate Validation

November 13, 2018 (updated January 31, 2019)

The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the transport.ssl(...) methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed.

References

www.securityfocus.com/bid/105935
issues.apache.org/jira/browse/PROTON-1962
mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E
nvd.nist.gov/vuln/detail/CVE-2018-17187
qpid.apache.org/cves/CVE-2018-17187.html

Code Behaviors & Features

Detect and mitigate CVE-2018-17187 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →