CVE-2022-33683

Name of the Vulnerable Software and Affected Versions Apache Pulsar Broker and Proxy versions 2.6.4 and earlier Apache Pulsar Broker and Proxy versions 2.7.0 through 2.7.4 Apache Pulsar Broker and Proxy versions 2.8.0 through 2.8.3 Apache Pulsar Broker and Proxy versions 2.9.0 through 2.9.2 Apache Pulsar Broker and Proxy version 2.10.0

Description The Pulsar Admin Client's intra-cluster and geo-replication HTTPS connections are vulnerable to man-in-the-middle attacks due to the lack of peer TLS certificate verification, even when tlsAllowInsecureConnection is disabled. This could lead to the leakage of authentication data, configuration data, and any other data sent by these clients. An attacker must take control of a machine between the client and the server and actively manipulate traffic to perform the attack.

Recommendations For Apache Pulsar Broker and Proxy versions 2.6.4 and earlier, update to a version that verifies peer TLS certificates. For Apache Pulsar Broker and Proxy versions 2.7.0 through 2.7.4, update to a version that verifies peer TLS certificates. For Apache Pulsar Broker and Proxy versions 2.8.0 through 2.8.3, update to a version that verifies peer TLS certificates. For Apache Pulsar Broker and Proxy versions 2.9.0 through 2.9.2, update to a version that verifies peer TLS certificates. For Apache Pulsar Broker and Proxy version 2.10.0, update to a version that verifies peer TLS certificates. As a temporary workaround, consider restricting access to the intra-cluster and geo-replication HTTPS connections to minimize the risk of exploitation.