CVE-2022-33683

Disabled Certificate Validation makes Broker, Proxy Admin Clients vulnerable to MITM attack

Description

Apache Pulsar Brokers and Proxies create an internal Pulsar Admin Client that does not verify peer TLS certificates, even when tlsAllowInsecureConnection is disabled via configuration. The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man in the middle attacks, which could leak authentication data, configuration data, and any other data sent by these clients. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. This issue affects Apache Pulsar Broker and Proxy versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; 2.6.4 and earlier.

Remediation

Workaround:

Any users running affected versions of the Pulsar Broker or Pulsar Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords. 2.7 users should upgrade Pulsar Brokers and Proxies to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords. 2.8 users should upgrade Pulsar Brokers and Proxies to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords. 2.9 users should upgrade Pulsar Brokers and Proxies to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords. 2.10 users should upgrade Pulsar Brokers and Proxies to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords. Any users running Pulsar Brokers and Proxies for 2.6 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords. In addition to upgrading, it is also necessary to enable hostname verification to prevent man in the middle attacks. Please see CVE-2022-33682 for more information.

References

Link	Tags
https://lists.apache.org/thread/42v5rsxj36r3nhfxhmhb2x12r5jmvx3x	vendor advisory mailing list

Frequently Asked Questions

What is the severity of CVE-2022-33683?: CVE-2022-33683 has been scored as a medium severity vulnerability.
How to fix CVE-2022-33683?: As a workaround for remediating CVE-2022-33683: Any users running affected versions of the Pulsar Broker or Pulsar Proxy should rotate static authentication data vulnerable to man in the middle attacks used by these applications, including tokens and passwords. 2.7 users should upgrade Pulsar Brokers and Proxies to 2.7.5, and rotate vulnerable authentication data, including tokens and passwords. 2.8 users should upgrade Pulsar Brokers and Proxies to 2.8.4, and rotate vulnerable authentication data, including tokens and passwords. 2.9 users should upgrade Pulsar Brokers and Proxies to 2.9.3, and rotate vulnerable authentication data, including tokens and passwords. 2.10 users should upgrade Pulsar Brokers and Proxies to 2.10.1, and rotate vulnerable authentication data, including tokens and passwords. Any users running Pulsar Brokers and Proxies for 2.6 and earlier should upgrade to one of the above patched versions, and rotate vulnerable authentication data, including tokens and passwords. In addition to upgrading, it is also necessary to enable hostname verification to prevent man in the middle attacks. Please see CVE-2022-33682 for more information.
Is CVE-2022-33683 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2022-33683 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-33683?: CVE-2022-33683 affects Apache Software Foundation Apache Pulsar.

Description

Remediation

Category

CWE-295 – Improper Certificate Validation

References

Frequently Asked Questions