A newly-discovered vulnerability in Apache Pulsar allows a remote attacker to carry out a manipulator-in-the-middle (MitM) attack due to improper certificate validation.
Apache Pulsar is a distributed, open source solution for server-to-server messaging and queuing built on the publisher-subscribe pattern.
It’s used by thousands of companies for high-performance data pipelines, microservices, instant messaging, data integrations, and more, managing hundreds of billions of events per day.
But a delay in the TLS hostname verification process in the Pulsar Java Client and the Pulsar Proxy, discovered by Michael Marshall of cloud database-as-a-service firm DataStax, makes each client vulnerable to a MitM middle attack.
The vulnerability isn’t specific to the Pulsar protocol, but exists thanks to a fundamental weakness in TLS hostname verification that means that the protocol fails to enforce hostname verification.
The Pulsar Java Client sends its client certificate as part of its client authentication step, while the Pulsar Proxy sends its server certificate as part of its authentication step.
However, authentication data is sent before verifying that the server’s TLS certificate matches the hostname, meaning that authentication data could be exposed to an attacker.
Attack method
To take advantage of this vulnerability, an attacker would need to take control of a machine between the client and the server. They would then have to actively manipulate traffic to perform the attack by providing the client with a cryptographically valid certificate for an unrelated host.
And because the client sends authentication data before performing the hostname verification, it would be possible for the attacker to gain access to the client’s authentication data.
When the client verifies the hostname and establishes that the targeted hostname does not match a hostname on the certificate, the client eventually closes the connection.
This means that the value of the intercepted authentication data will depend on the authentication method used by the client, with token-based and username/password methods left vulnerable because the authentication data can be used to impersonate the client in a separate session.
The vulnerability, rated medium severity, affects Apache Pulsar Java Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0; and 2.6.4 and earlier.
Users are advised to upgrade to unaffected versions – 2.7.5, 2.8.4, 2.9.3, 2.10.1, or higher – and to rotate vulnerable authentication data, including tokens and passwords.
DataStax says it has alerted its customers to the flaw. “The Pulsar security issues have already been fixed for the DataStax Luna Streaming offering and will be in an update to our Astra Streaming service soon,” says a spokesperson.