You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@camel.apache.org by Ravi Sunchu <Ra...@sas.com.INVALID> on 2021/01/11 13:35:36 UTC

Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

Hi All:

In a project where we are using camel-netty component, our Blackduck scans reported a medium (4.7) security vulnerability against netty-4.1.53.Final version. The essence of the vulnerability seems to be that Netty client does not verify the hostname of the server against the certificate. This is documented in the following issues under the Netty project.

https://github.com/netty/netty/issues/9930
https://github.com/netty/netty/issues/8537

Apparently Netty devs are trying to enable hostname verification by default in Netty 5, but while using Netty 4 this has to be enabled manually by setting

SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") and by providing hostname and port while creating the SSLEngine.

I looked around the Camel JSSE Util page (https://camel.apache.org/manual/latest/camel-configuration-utilities.html) and the source for SSLContextParameters and related classes. I could not find any mechanism to set the endpoint identification algorithm in SSLContextParameters in Camel so that it gets passed to the underlying Netty library as expected. Search through Camel mailing list also did not return any hits on this topic.

Is there a way to enable hostname verification for Netty component in Camel? Or is this a vulnerability in camel-netty component that still needs to be addressed in this component?

Attached is the Blackduck report regarding this vulnerability.

Thanks for the help.

Regards
Ravi Sunchu

RE: Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

Posted by Ravi Sunchu <Ra...@sas.com.INVALID>.

Hi Zheng:

We are using Netty for TCP socket connections, not for http.

Thanks
Ravi

-----Original Message-----
From: Zheng Feng <zf...@redhat.com> 
Sent: Monday, January 11, 2021 9:06 AM
To: users@camel.apache.org
Subject: Re: Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

It looks like we had resolved the similar issue in
https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FCAMEL-14070&amp;data=04%7C01%7CRavi.Sunchu%40sas.com%7C925ebadd5f194c8225f308d8b63a05d8%7Cb1c14d5c362545b3a4309552373a0c2f%7C0%7C0%7C637459708147816844%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&amp;sdata=fhYTMt%2FtXEWmPuTopG8v0A%2BDuwuX68L8zRxAvA7tRQw%3D&amp;reserved=0 to support SNI. So IMO, the camel-netty-http will not be affected by this vulnerability.

Re: Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

Posted by Zheng Feng <zf...@redhat.com>.

It looks like we had resolved the similar issue in
https://issues.apache.org/jira/browse/CAMEL-14070 to support SNI. So IMO,
the camel-netty-http will not be affected by this vulnerability.

On Mon, Jan 11, 2021 at 9:43 PM Ravi Sunchu <Ra...@sas.com.invalid>
wrote:

> Hi All:
>
> In a project where we are using camel-netty component, our Blackduck scans
> reported a medium (4.7) security vulnerability against netty-4.1.53.Final
> version. The essence of the vulnerability seems to be that Netty client
> does not verify the hostname of the server against the certificate. This is
> documented in the following issues under the Netty project.
>
> https://github.com/netty/netty/issues/9930
> https://github.com/netty/netty/issues/8537
>
> Apparently Netty devs are trying to enable hostname verification by
> default in Netty 5, but while using Netty 4 this has to be enabled manually
> by setting
>
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") and by providing
> hostname and port while creating the SSLEngine.
>
> I looked around the Camel JSSE Util page (
> https://camel.apache.org/manual/latest/camel-configuration-utilities.html)
> and the source for SSLContextParameters and related classes. I could not
> find any mechanism to set the endpoint identification algorithm in
> SSLContextParameters in Camel so that it gets passed to the underlying
> Netty library as expected. Search through Camel mailing list also did not
> return any hits on this topic.
>
> Is there a way to enable hostname verification for Netty component in
> Camel? Or is this a vulnerability in camel-netty component that still needs
> to be addressed in this component?
>
> Attached is the Blackduck report regarding this vulnerability.
>
> Thanks for the help.
>
> Regards
> Ravi Sunchu
>

RE: Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

Posted by Ravi Sunchu <Ra...@sas.com.INVALID>.

Hi Andrea:

We are using Camel 3.4.4.

My apologies for posting to the wrong mailing list. Admins, please delete this post from this mailing list. I will report this to ASF security team.

Given that this was a vulnerability that was identified 2 years ago, I thought I was missing something and that there would be a way to configure this in Camel.

Thanks
Ravi

-----Original Message-----
From: Andrea Cosentino <an...@gmail.com> 
Sent: Monday, January 11, 2021 8:42 AM
To: users@camel.apache.org
Subject: Re: Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

EXTERNAL

Please report the camel version you're using.

I think this shouldn't be discussed at users ml, but you should contact ASF security mail address.

Re: Camel-Netty Security Vulnerability (CWE-295/BDSA-2018-4022) - Hostname verification

Posted by Andrea Cosentino <an...@gmail.com>.

Please report the camel version you're using.

I think this shouldn't be discussed at users ml, but you should contact ASF
security mail address.



Il lun 11 gen 2021, 14:35 Ravi Sunchu <Ra...@sas.com.invalid> ha
scritto:

> Hi All:
>
> In a project where we are using camel-netty component, our Blackduck scans
> reported a medium (4.7) security vulnerability against netty-4.1.53.Final
> version. The essence of the vulnerability seems to be that Netty client
> does not verify the hostname of the server against the certificate. This is
> documented in the following issues under the Netty project.
>
> https://github.com/netty/netty/issues/9930
> https://github.com/netty/netty/issues/8537
>
> Apparently Netty devs are trying to enable hostname verification by
> default in Netty 5, but while using Netty 4 this has to be enabled manually
> by setting
>
> SSLParameters.setEndpointIdentificationAlgorithm("HTTPS") and by providing
> hostname and port while creating the SSLEngine.
>
> I looked around the Camel JSSE Util page (
> https://camel.apache.org/manual/latest/camel-configuration-utilities.html)
> and the source for SSLContextParameters and related classes. I could not
> find any mechanism to set the endpoint identification algorithm in
> SSLContextParameters in Camel so that it gets passed to the underlying
> Netty library as expected. Search through Camel mailing list also did not
> return any hits on this topic.
>
> Is there a way to enable hostname verification for Netty component in
> Camel? Or is this a vulnerability in camel-netty component that still needs
> to be addressed in this component?
>
> Attached is the Blackduck report regarding this vulnerability.
>
> Thanks for the help.
>
> Regards
> Ravi Sunchu
>