CVE-2022-33682

Name of the Vulnerable Software and Affected Versions Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.6.4 and earlier Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 through 2.7.4 Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.8.0 through 2.8.3 Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.9.0 through 2.9.2 Apache Pulsar Broker, Proxy, and WebSocket Proxy version 2.10.0

Description TLS hostname verification cannot be enabled in the Pulsar Broker's Java Client, the Pulsar Broker's Java Admin Client, the Pulsar WebSocket Proxy's Java Client, and the Pulsar Proxy's Admin Client, leaving intra-cluster connections and geo-replication connections vulnerable to man-in-the-middle attacks. This could leak credentials, configuration data, message data, and any other data sent by these clients. The vulnerability affects both the pulsar+ssl protocol and HTTPS. An attacker must take control of a machine between the client and the server and actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host.

Recommendations For Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.6.4 and earlier, update to a version that includes the fix for this issue. For Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.7.0 through 2.7.4, update to a version that includes the fix for this issue. For Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.8.0 through 2.8.3, update to a version that includes the fix for this issue. For Apache Pulsar Broker, Proxy, and WebSocket Proxy versions 2.9.0 through 2.9.2, update to a version that includes the fix for this issue. For Apache Pulsar Broker, Proxy, and WebSocket Proxy version 2.10.0, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the vulnerable clients to minimize the risk of exploitation.