Vulnerability Description
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Qpid Proton | <= 0.12.0 |
| Fedoraproject | Fedora | 23 |
Related Weaknesses (CWE)
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.htmlThird Party Advisory
- http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-FailurThird Party Advisory
- http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.htmlPatchVendor Advisory
- http://www.securityfocus.com/archive/1/537864/100/0/threaded
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
- https://issues.apache.org/jira/browse/PROTON-1157Issue Tracking
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00
- http://lists.fedoraproject.org/pipermail/package-announce/2016-April/182414.htmlThird Party Advisory
- http://packetstormsecurity.com/files/136403/Apache-Qpid-Proton-0.12.0-SSL-FailurThird Party Advisory
- http://qpid.apache.org/releases/qpid-proton-0.12.1/release-notes.htmlPatchVendor Advisory
- http://www.securityfocus.com/archive/1/537864/100/0/threaded
- https://git-wip-us.apache.org/repos/asf?p=qpid-proton.git%3Bh=a058585
- https://issues.apache.org/jira/browse/PROTON-1157Issue Tracking
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00
FAQ
What is CVE-2016-2166?
CVE-2016-2166 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqp...
How severe is CVE-2016-2166?
CVE-2016-2166 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-2166?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Qpid Proton, Fedoraproject Fedora.