Security issue in jboss client netty-handler
Issue
Analysing security issues of jboss-client, I came across an issue reported by Sonatype: sonatype-2020-0026 (wildfly-client-all:19.1.0.FINAL) which described the issue as
The netty-handler package is vulnerable to Improper Certificate Validation. The newHandler methods in SslContext.class do not verify hostnames by default when generating a new SSLEngine. An attacker can exploit this as part of a Man-in-the-Middle (MITM) attack to spoof their identity and gain access to or modify sensitive data._
Reference: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-
Sonatype CVSS 3:6.5
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.3.x
- Netty Handler
- 7.3.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.