Ya Xiao created IGNITE-14004:
--------------------------------
Summary: Customized TrustManager bypasses certificate verification
Key: IGNITE-14004
URL:
https://issues.apache.org/jira/browse/IGNITE-14004 Project: Ignite
Issue Type: Improvement
Reporter: Ya Xiao
We found a security vulnerability in file [ignite/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java|
https://github.com/apache/ignite/blob/be3072ff278a2542e41d008b5379473867df3814/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java]. The customized TrustManger (at Line 502) allows all certificates to pass the verification.
*Security Impact*:
The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
*Useful Resources*:
[
https://cwe.mitre.org/data/definitions/295.html]
[
https://developer.android.com/training/articles/security-ssl|
https://developer.android.com/training/articles/security-ssl#SelfSigned]
*Solution we suggest:*
Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See [here|
https://developer.android.com/training/articles/security-ssl] to securely allow self-signed certificates and other common cases.
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
