CVE-2022-33684

Name of the Vulnerable Software and Affected Versions Apache Pulsar C++ Client versions 2.7.0 through 2.7.4 Apache Pulsar C++ Client versions 2.8.0 through 2.8.3 Apache Pulsar C++ Client versions 2.9.0 through 2.9.2 Apache Pulsar C++ Client versions 2.10.0 through 2.10.1 Apache Pulsar C++ Client version 2.6.4 and earlier Apache Pulsar Python Client versions 2.7.0 through 2.7.4 Apache Pulsar Python Client versions 2.8.0 through 2.8.3 Apache Pulsar Python Client versions 2.9.0 through 2.9.2 Apache Pulsar Python Client versions 2.10.0 through 2.10.1 Apache Pulsar Python Client version 2.6.4 and earlier

Description The Apache Pulsar C++ Client and Python Client do not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This allows an attacker to perform a man-in-the-middle attack and intercept and/or modify the GET request sent to the ClientCredentialFlow "issuer url". The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker must take control of a machine "between" the client and the server and actively manipulate traffic to perform the attack.

Recommendations 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials, including client id and client secret. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials, including client id and client secret. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials, including client id and client secret. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials, including client id and client secret. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions and rotate vulnerable OAuth2.0 credentials, including client id and client secret.