{"api_version":"1","generated_at":"2026-05-14T03:46:25+00:00","cve":"CVE-2018-17187","urls":{"html":"https://cve.report/CVE-2018-17187","api":"https://cve.report/api/cve/CVE-2018-17187.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2018-17187","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2018-17187"},"summary":{"title":"CVE-2018-17187","description":"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise.","state":"PUBLIC","assigner":"security@apache.org","published_at":"2018-11-13 15:29:00","updated_at":"2019-01-31 19:10:00"},"problem_types":["CWE-295"],"metrics":[],"references":[{"url":"http://www.securityfocus.com/bid/105935","name":"105935","refsource":"BID","tags":["Third Party Advisory","VDB Entry"],"title":"Apache Qpid Proton-J CVE-2018-17187 Certificate Validation Security Bypass Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"https://issues.apache.org/jira/browse/PROTON-1962","name":"https://issues.apache.org/jira/browse/PROTON-1962","refsource":"MISC","tags":["Vendor Advisory"],"title":"[PROTON-1962] [CVE-2018-17187] transport TLS wrapper hostname verification mode not implemented - ASF JIRA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://qpid.apache.org/cves/CVE-2018-17187.html","name":"https://qpid.apache.org/cves/CVE-2018-17187.html","refsource":"MISC","tags":["Mitigation","Vendor Advisory"],"title":"CVE-2018-17187: transport TLS wrapper hostname verification mode not implemented - Apache Qpid™","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E","name":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E","refsource":"MISC","tags":["Mailing List","Mitigation","Vendor Advisory"],"title":"[SECURITY] [CVE-2018-17187] Apache Qpid Proton-J transport TLS wrapper hostname verification mode not implemented","mime":"text/xml","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2018-17187","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-17187","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2018","cve_id":"17187","vulnerable":"1","versionEndIncluding":"0.29.0","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"apache","cpe5":"qpid_proton-j","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2018-17187","qid":"980776","title":"Java (maven) Security Update for org.apache.qpid:proton-j (GHSA-xvch-r4wf-h8w9)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"security@apache.org","ID":"CVE-2018-17187","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Apache Qpid Proton-J","version":{"version_data":[{"version_value":"Apache Qpid Proton-J 0.3 to 0.29.0"}]}}]},"vendor_name":"Apache Software Foundation"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Hostname verification support not implemented, exception thrown if configured."}]}]},"references":{"reference_data":[{"name":"https://issues.apache.org/jira/browse/PROTON-1962","refsource":"MISC","url":"https://issues.apache.org/jira/browse/PROTON-1962"},{"name":"105935","refsource":"BID","url":"http://www.securityfocus.com/bid/105935"},{"name":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E","refsource":"MISC","url":"https://mail-archives.apache.org/mod_mbox/qpid-users/201811.mbox/%3CCAFitrpQSV73Vz7rJYfLJK7gvEymZSCR5ooWUeU8j4jzRydk-eg%40mail.gmail.com%3E"},{"name":"https://qpid.apache.org/cves/CVE-2018-17187.html","refsource":"MISC","url":"https://qpid.apache.org/cves/CVE-2018-17187.html"}]}},"nvd":{"publishedDate":"2018-11-13 15:29:00","lastModifiedDate":"2019-01-31 19:10:00","problem_types":["CWE-295"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.4,"baseSeverity":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:N/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.8},"severity":"MEDIUM","exploitabilityScore":8.6,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:apache:qpid_proton-j:*:*:*:*:*:*:*:*","versionStartIncluding":"0.3","versionEndIncluding":"0.29.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2018","CveId":"17187","Ordinal":"134000","Title":"CVE-2018-17187","CVE":"CVE-2018-17187","Year":"2018"},"notes":[{"CveYear":"2018","CveId":"17187","Ordinal":"1","NoteData":"The Apache Qpid Proton-J transport includes an optional wrapper layer to perform TLS, enabled by use of the 'transport.ssl(...)' methods. Unless a verification mode was explicitly configured, client and server modes previously defaulted as documented to not verifying a peer certificate, with options to configure this explicitly or select a certificate verification mode with or without hostname verification being performed. The latter hostname verifying mode was not implemented in Apache Qpid Proton-J versions 0.3 to 0.29.0, with attempts to use it resulting in an exception. This left only the option to verify the certificate is trusted, leaving such a client vulnerable to Man In The Middle (MITM) attack. Uses of the Proton-J protocol engine which do not utilise the optional transport TLS wrapper are not impacted, e.g. usage within Qpid JMS. Uses of Proton-J utilising the optional transport TLS wrapper layer that wish to enable hostname verification must be upgraded to version 0.30.0 or later and utilise the VerifyMode#VERIFY_PEER_NAME configuration, which is now the default for client mode usage unless configured otherwise.","Type":"Description","Title":null},{"CveYear":"2018","CveId":"17187","Ordinal":"2","NoteData":"2018-11-13","Type":"Other","Title":"Published"},{"CveYear":"2018","CveId":"17187","Ordinal":"3","NoteData":"2018-11-16","Type":"Other","Title":"Modified"}]}}}