Vulnerability Description
The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate when using the SChannel-based security layer, which allows man-in-the-middle attackers to spoof servers via an arbitrary valid certificate.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Qpid Proton | 0.8.0 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2016/07/15/3Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/91788Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1036316Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00
- http://www.openwall.com/lists/oss-security/2016/07/15/3Mailing ListThird Party Advisory
- http://www.securityfocus.com/bid/91788Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1036316Third Party AdvisoryVDB Entry
- https://lists.apache.org/thread.html/914424e4d798a340f523b6169aaf39b626971d9bb00
FAQ
What is CVE-2016-4467?
CVE-2016-4467 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The C client and C-based client bindings in the Apache Qpid Proton library before 0.13.1 on Windows do not properly verify that the server hostname matches a domain name in the subject's Common Name (...
How severe is CVE-2016-4467?
CVE-2016-4467 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-4467?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Qpid Proton.