Security issue in jboss client netty-handler

Solution Unverified - Updated -

Issue

Analysing security issues of jboss-client, I came across an issue reported by Sonatype: sonatype-2020-0026 (wildfly-client-all:19.1.0.FINAL) which described the issue as

The netty-handler package is vulnerable to Improper Certificate Validation. The newHandler methods in SslContext.class do not verify hostnames by default when generating a new SSLEngine. An attacker can exploit this as part of a Man-in-the-Middle (MITM) attack to spoof their identity and gain access to or modify sensitive data._
 Reference: https://netty.io/4.1/api/io/netty/handler/ssl/SslContext.html#newHandler-io.netty.buffer.ByteBufAllocator-java.util.concurrent.Executor-

Sonatype CVSS 3:6.5
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 7.3.x
      • Netty Handler

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content