SSL verification omitted in OAuth2 credential flow in apache/pulsar
Mar 10th 2022
Pulsar uses Curl to send HTTP(S) requests and typically uses the
tlsAllowInsecure_ global variable (derived from
isTlsAllowInsecureConnection()) to determine whether SSL verification¹ should be enabled/disabled².
In the linked occurances, those checks do not occur and SSL verification is disabled by default which is obviously a security issue for end-users.
This vulnerability is capable of allowing an attacker to intercept and/or modify the GET request that is sent to the
ClientCredentialFlow 'issuer url'.
curl_easy_setopt(handle, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(handle, CURLOPT_SSL_VERIFYHOST, 0L);
SECURITY.md for this repository links to the pulsar website (here) but the link is invalid/outdated but the Thaiwanese version (which is still availalbe here) says:
When reporting a vulnerability to firstname.lastname@example.org, you can copy your email to email@example.com to send your report to the Apache Pulsar Project Management Committee. This is a private mailing list.
No worries! We already have the Apache security e-mail on file, and so will use this to reach out 👍 Thanks for the useful information anyway.
Hi @maintainer, I see that this has been acknowledged, has this issue been validated or is any more information required to help the triage process?
The problem is in a not fully documented part of the C++/Python Pulsar client. involving OAuth2.
We are committing a fix which will cherry picked into the three different release branches that are current. 2.8, 2.9, and 2.10. It will approximately one month to make these releases. Once done we can release a CVE with credit.
Thanks for getting this resolved, that patch looks good to me!
CVE-2022-33684 was allocated for this issue
Thanks, @maintainer 🙌
I've added the CVE to the report :)
We've fixed this issue in three out of the four impacted branches of Apache Pulsar. We are waiting on the release of Apache Pulsar 2.10.2 in the next weeks.
How should we credit the reporter in the CVE?
Glad to hear about the patch, I'm looking forward to the new release!
As with the credit, I'd be fine with name and email if that works for you (
Michael Rowley, firstname.lastname@example.org)?
If we can also include a reference in the CVE to this report, that would also be appreciated 👍
This problem has since been fixed and the CVE has been published at https://www.cve.org/CVERecord?id=CVE-2022-33684 . I see we have given credit to Michael, but hadn't linked to this report yet. I have now also added a link to the report.
(huntr.dev requires a SHA commit and release to mark this report as 'fixed'. Since this issue was fixed over multiple repo's and multiple commits, this doesn't really apply here. As a workaround I picked the release commit of pulsar 2.11.0, and entered "3.0.0" as the release version of the fix since both clients are fixed on that version. Also, the CVE was published 2022-11-04, but huntr.dev does not allow publication dates in the past, so I set it to 'today'. This is not ideal, but a result of the lack of nuance in the huntr.dev fields)