Replies: 2 comments 3 replies
-
I'll have a look |
Beta Was this translation helpful? Give feedback.
3 replies
-
This has been assigned CVE-2023-4586 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
My organization has an Sonatype finding (sonatype-2020-0026) on netty-handler, which is a transitive dependency on infinispan-client-hotrod-jakarta. Netty claims the finding to be a "configuration issue". Code using SslHandler should call SSLParameters.setEndpointIdentificationAlgorithm(String):
SSLEngine sslEngine = sslHandler.engine(); SSLParameters sslParameters = sslEngine.getSSLParameters(); // only available since Java 7 sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); sslEngine.setSSLParameters(sslParameters);
Otherwise hostname verification will not be enabled, which could lead to MITM attacks.
I checked the infinispan source code and it is not calling setEndpointIdentificationAlgorithm where SsLHandler is used. I looked in the following files in the client:
Could I be missing something or is infinspan vulnerable?
Last thing, our project uses infinispan-client-hotrod-jakarta (via debezium-connector-oracle). I assume the source code for infinispan-client-hotrod is the same, but just with javax instead of jakarta packages?
Links:
netty/netty#9930 (comment)
https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-
Beta Was this translation helpful? Give feedback.
All reactions