CVE-2019-0231 - OpenCVE

Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Mina

Configuration 1 [-]

OR	cpe:2.3:a:apache:mina:2.0.20:::::::*
	cpe:2.3:a:apache:mina:2.1.1:::::::*

References

Link	Resource
http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019	Release Notes Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2019-09-27T00:00:00

Updated: 2019-10-01T19:39:53

Reserved: 2018-11-14T00:00:00

Link: CVE-2019-0231

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-10-01T20:15:11.010

Modified: 2019-10-08T17:47:22.907

Link: CVE-2019-0231

JSON object: View

Redhat Information

No data.

CWE

CWE-319

{"containers": {"cna": {"affected": [{"product": "Apache MINA ", "vendor": "Apache Software Foundation", "versions": [{"status": "affected", "version": "Apache MINA 2.1 2.1.0"}, {"status": "affected", "version": "Apache MINA 2.0 2.0.21"}]}], "credits": [{"lang": "en", "value": "This issue was discovered and reported by Oleksii Osypov."}], "datePublic": "2019-09-27T00:00:00", "descriptions": [{"lang": "en", "value": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA."}], "problemTypes": [{"descriptions": [{"description": "SSLFilter security Issue", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-10-01T19:39:53", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache MINA SSLFilter security Issue", "x_generator": {"engine": "Vulnogram 0.0.8"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "DATE_PUBLIC": "27/9/2019", "ID": "CVE-2019-0231", "STATE": "PUBLIC", "TITLE": "Apache MINA SSLFilter security Issue"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache MINA ", "version": {"version_data": [{"version_name": "Apache MINA 2.1", "version_value": "2.1.0"}, {"version_name": "Apache MINA 2.0", "version_value": "2.0.21"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered and reported by Oleksii Osypov."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA."}]}, "generator": {"engine": "Vulnogram 0.0.8"}, "impact": {}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "SSLFilter security Issue"}]}]}, "references": {"reference_data": [{"name": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019", "refsource": "MISC", "url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019"}]}, "source": {"discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2019-0231", "datePublished": "2019-09-27T00:00:00", "dateReserved": "2018-11-14T00:00:00", "dateUpdated": "2019-10-01T19:39:53", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:mina:2.0.20:*:*:*:*:*:*:*", "matchCriteriaId": "0CD439CD-F68E-475E-886F-6A395028CEA1", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:mina:2.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "76C4B7AD-D821-4065-9502-44FBF3DAEF66", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA."}, {"lang": "es", "value": "El manejo del mensaje close_notify de SSL/TLS no conlleva a un cierre de la conexi\u00f3n, conduciendo a que el servidor retenga el socket abierto y que el cliente reciba potencialmente mensajes de texto sin cifrar m\u00e1s tarde. Mitigaci\u00f3n: los usuarios de la versi\u00f3n 2.0.20 deber\u00edan migrar a la versi\u00f3n 2.0.21, los usuarios de la versi\u00f3n 2.1.0 deber\u00edan migrar a la versi\u00f3n 2.1.1. Este problema afecta a: Apache MINA."}], "id": "CVE-2019-0231", "lastModified": "2019-10-08T17:47:22.907", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-10-01T20:15:11.010", "references": [{"source": "security@apache.org", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://mina.apache.org/mina-project/index.html#mina-211-mina-2021-released-posted-on-april-14-2019"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}], "source": "nvd@nist.gov", "type": "Primary"}]}