SSL verification omitted in OAuth2 credential flow in apache/pulsar
Reported on
Mar 10th 2022
Description
Pulsar uses Curl to send HTTP(S) requests and typically uses the tlsAllowInsecure_ global variable (derived from isTlsAllowInsecureConnection()) to determine whether SSL verification¹ should be enabled/disabled².
In the linked occurances, those checks do not occur and SSL verification is disabled by default which is obviously a security issue for end-users.
Impact
This vulnerability is capable of allowing an attacker to intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'.
Occurrences
AuthOauth2.cc L182-L183
Context: void ClientCredentialFlow::initialize()
curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, 0L);
curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 0L);
@admin The SECURITY.md for this repository links to the pulsar website (here) but the link is invalid/outdated but the Thaiwanese version (which is still availalbe here) says:
When reporting a vulnerability to security@apache.org, you can copy your email to private@pulsar.apache.org to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.
No worries! We already have the Apache security e-mail on file, and so will use this to reach out 👍 Thanks for the useful information anyway.
Hi @maintainer, I see that this has been acknowledged, has this issue been validated or is any more information required to help the triage process?
The problem is in a not fully documented part of the C++/Python Pulsar client. involving OAuth2.
We are committing a fix which will cherry picked into the three different release branches that are current. 2.8, 2.9, and 2.10. It will approximately one month to make these releases. Once done we can release a CVE with credit.
https://github.com/apache/pulsar/pull/16064
Thanks for getting this resolved, that patch looks good to me!
We've fixed this issue in three out of the four impacted branches of Apache Pulsar. We are waiting on the release of Apache Pulsar 2.10.2 in the next weeks.
How should we credit the reporter in the CVE?
Glad to hear about the patch, I'm looking forward to the new release!
As with the credit, I'd be fine with name and email if that works for you (Michael Rowley, michaellrowley@protonmail.com)?
Thanks again
If we can also include a reference in the CVE to this report, that would also be appreciated 👍
This problem has since been fixed and the CVE has been published at https://www.cve.org/CVERecord?id=CVE-2022-33684 . I see we have given credit to Michael, but hadn't linked to this report yet. I have now also added a link to the report.
(huntr.dev requires a SHA commit and release to mark this report as 'fixed'. Since this issue was fixed over multiple repo's and multiple commits, this doesn't really apply here. As a workaround I picked the release commit of pulsar 2.11.0, and entered "3.0.0" as the release version of the fix since both clients are fixed on that version. Also, the CVE was published 2022-11-04, but huntr.dev does not allow publication dates in the past, so I set it to 'today'. This is not ideal, but a result of the lack of nuance in the huntr.dev fields)