CVE-2022-33684 in Pulsar C++ Client
Summary
by MITRE • 11/04/2022
The Apache Pulsar C++ Client does not verify peer TLS certificates when making HTTPS calls for the OAuth2.0 Client Credential Flow, even when tlsAllowInsecureConnection is disabled via configuration. This vulnerability allows an attacker to perform a man in the middle attack and intercept and/or modify the GET request that is sent to the ClientCredentialFlow 'issuer url'. The intercepted credentials can be used to acquire authentication data from the OAuth2.0 server to then authenticate with an Apache Pulsar cluster. An attacker can only take advantage of this vulnerability by taking control of a machine 'between' the client and the server. The attacker must then actively manipulate traffic to perform the attack. The Apache Pulsar Python Client wraps the C++ client, so it is also vulnerable in the same way. This issue affects Apache Pulsar C++ Client and Python Client versions 2.7.0 to 2.7.4; 2.8.0 to 2.8.3; 2.9.0 to 2.9.2; 2.10.0 to 2.10.1; 2.6.4 and earlier. Any users running affected versions of the C++ Client or the Python Client should rotate vulnerable OAuth2.0 credentials, including client_id and client_secret. 2.7 C++ and Python Client users should upgrade to 2.7.5 and rotate vulnerable OAuth2.0 credentials. 2.8 C++ and Python Client users should upgrade to 2.8.4 and rotate vulnerable OAuth2.0 credentials. 2.9 C++ and Python Client users should upgrade to 2.9.3 and rotate vulnerable OAuth2.0 credentials. 2.10 C++ and Python Client users should upgrade to 2.10.2 and rotate vulnerable OAuth2.0 credentials. 3.0 C++ users are unaffected and 3.0 Python Client users will be unaffected when it is released. Any users running the C++ and Python Client for 2.6 or less should upgrade to one of the above patched versions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/03/2025
The vulnerability described in CVE-2022-33684 represents a critical security flaw in the Apache Pulsar C++ and Python client implementations that directly impacts the integrity of OAuth2.0 authentication flows. This issue manifests when the client attempts to establish HTTPS connections to OAuth2.0 issuer endpoints using the Client Credential Flow mechanism, where the TLS certificate verification process is bypassed despite explicit configuration to disable insecure connections. The flaw resides in the client's handling of TLS validation during the authentication handshake, specifically when communicating with OAuth2.0 servers to obtain authentication tokens. This represents a failure in the fundamental security principle of certificate validation, which is categorized under CWE-295 - Improper Certificate Validation, and directly enables man-in-the-middle attack scenarios where attackers can intercept and manipulate the authentication process.
The technical exploitation of this vulnerability requires an attacker to occupy a position between the client and the OAuth2.0 server within the network infrastructure, typically through network compromise or traffic interception capabilities. This attack vector aligns with ATT&CK technique T1566.001 - Phishing, where the attack is not direct but rather relies on network position to intercept communications. The vulnerability specifically affects the Client Credential Flow implementation where the client sends GET requests to the issuer URL to retrieve tokens, making this process susceptible to interception and modification. The flaw exists because the client implementation fails to properly enforce the tlsAllowInsecureConnection configuration parameter, allowing certificate validation to be bypassed even when explicitly disabled by the user.
Operational impacts of this vulnerability extend beyond simple credential interception to potentially compromise entire Apache Pulsar cluster access. When attackers successfully intercept the authentication tokens, they can use these credentials to authenticate with the Pulsar cluster, gaining unauthorized access to message queues, topics, and potentially sensitive data flowing through the system. The vulnerability affects multiple version ranges across the Pulsar client ecosystem, including versions 2.7.0-2.7.4, 2.8.0-2.8.3, 2.9.0-2.9.2, 2.10.0-2.10.1, and 2.6.4 and earlier, demonstrating a widespread impact across the client base. The Python client is particularly vulnerable as it directly wraps the C++ client implementation, meaning that both client implementations share the same underlying flaw. This creates a cascading security risk where organizations using either client type are equally exposed, regardless of their programming language choice.
Organizations affected by this vulnerability must implement immediate remediation measures including credential rotation for all OAuth2.0 credentials that were used with vulnerable client versions. The recommended mitigation strategy involves upgrading to patched versions of the Apache Pulsar clients as specified in the advisory, with different version requirements for each affected release line. Version 2.7.5, 2.8.4, 2.9.3, and 2.10.2 represent the minimum required versions to address this vulnerability, with the 3.0 release being unaffected for both C++ and Python clients. The upgrade process should be accompanied by comprehensive credential rotation to prevent any potential exploitation that may have occurred during the period when vulnerable versions were in use. Security teams should also implement network monitoring to detect any unusual authentication patterns or traffic anomalies that might indicate attempted exploitation of this vulnerability, as the attack requires active network manipulation and may be detectable through traffic analysis.