While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This means that an undetected man in the middle attack could be constructed if an attacker can arrange to intercept TLS traffic.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:1399 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2019:1398 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:1400 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2024:1074-1 advisory.

  - While investigating bug PROTON-2014, we discovered that under some circumstances Apache Qpid Proton     versions 0.9 to 0.27.0 (C library and its language bindings) can connect to a peer anonymously using TLS
    *even when configured to verify the peer certificate* while used with OpenSSL versions before 1.1.0. This     means that an undetected man in the middle attack could be constructed if an attacker can arrange to     intercept TLS traffic. (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 / 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:2782 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 / 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:2781 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 / 6 / 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:2780 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2019:2779 advisory.

  - qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for qpid-proton is now available for Red Hat Satellite 6.4 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security Fix(es) :

* qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

An update for qpid-proton is now available for Red Hat Satellite 6.5 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments.

Security Fix(es) :

* qpid-proton: TLS Man in the Middle Vulnerability (CVE-2019-0223)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

ID	Name	Product	Family	Severity
194151	RHEL 7 : qpid-proton (RHSA-2019:1399)	Nessus	Red Hat Local Security Checks	high
194149	RHEL 7 : qpid-proton (RHSA-2019:1398)	Nessus	Red Hat Local Security Checks	high
194097	RHEL 7 : qpid-proton (RHSA-2019:1400)	Nessus	Red Hat Local Security Checks	high
192751	openSUSE 15 Security Update : qpid-proton (SUSE-SU-2024:1074-1)	Nessus	SuSE Local Security Checks	high
129143	RHEL 5 / 6 / 7 : qpid-proton (RHSA-2019:2782)	Nessus	Red Hat Local Security Checks	high
129142	RHEL 5 / 6 / 7 : qpid-proton (RHSA-2019:2781)	Nessus	Red Hat Local Security Checks	high
128985	RHEL 5 / 6 / 7 / 8 : qpid-proton (RHSA-2019:2780)	Nessus	Red Hat Local Security Checks	high
128984	RHEL 7 : qpid-proton (RHSA-2019:2779)	Nessus	Red Hat Local Security Checks	high
128983	RHEL 7 : Satellite Server (RHSA-2019:2778)	Nessus	Red Hat Local Security Checks	high
128982	RHEL 7 : Satellite Server (RHSA-2019:2777)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2019-0223

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high