PT-2025-43739 · Maven · Org.Opensearch.Dataprepper.Plugins:Geoip-Processor
Publicado
2025-10-15
·
Atualizado
2025-10-15
CVSS v3.1
5.9
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N |
Impact
The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.
The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The
initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:- Accepted all SSL certificates without validation
- Disabled server certificate verification
- Disabled client certificate verification
- Disabled hostname verification
This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.
Patches
Data Prepper 2.12.2 contains a fix for this issue.
Workarounds
If upgrading is not immediately possible:
- Use local GeoIP database files instead of downloading from HTTP URLs
- Ensure database downloads occur only over trusted networks
Correção
Improper Certificate Validation
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Org.Opensearch.Dataprepper.Plugins:Geoip-Processor