Rewterz Threat Advisory – Multiple Apache Pulsar Vulnerabilities

Severity

Medium

Analysis Summary

CVE-2022-24280 CVSS:6.5
Apache Pulsar could allow a remote attacker to bypass security restrictions, caused by an improper input validation vulnerability in the Proxy component. By sending a specially-crafted request, an attacker could exploit this vulnerability to make TCP/IP connection attempts that originate from the Pulsar Proxy’s IP address and cause a denial of service.

CVE-2022-24280 CVSS:5.3
Apache Pulsar is vulnerable to a man-in-the-middle attack, caused by delayed TLS hostname verification in the Pulsar Java Client and the Pulsar Proxy. By taking control of a machine ‘between’ the client and the server, an attacker could actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host and obtain exposed authentication data.

CVE-2022-33682 CVSS:7.5
Apache Pulsar is vulnerable to a man-in-the-middle attack, caused by the failure to enable TLS hostname verification in the Pulsar Broker’s Java Client, the Pulsar Broker’s Java Admin Client, the Pulsar WebSocket Proxy’s Java Client, and the Pulsar Proxy’s Admin Client. By taking control of a machine ‘between’ the client and the server, an attacker could actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host and obtain credentials, configuration data, message data, and any other data sent by these clients.

Impact

• Security Bypass
• Unauthorized Access

Indicators Of Compromise

CVE

• CVE-2022-24280
• CVE-2022-24280
• CVE-2022-33682

Affected Vendors

• Apache

Affected Products

• Apache Pulsar 2.7.0
• Apache Pulsar 2.8.0
• Apache Pulsar 2.7.4
• Apache Pulsar 2.8.2
• Apache Pulsar 2.9.0
• Apache Pulsar 2.6.4
• Apache Pulsar 2.8.3
• Apache Pulsar 2.9.2
• Apache Pulsar 2.10.0

Remediation

Upgrade to the latest version of Apache Pulsar, available from the Apache Web site.

Apache Website