CVE-2019-10091 Explained : Impact and Mitigation
Learn about CVE-2019-10091, a vulnerability in Apache Geode that exposes intra-cluster communication to man-in-the-middle attacks due to TLS hostname verification failure.
Apache Geode TLS hostname verification vulnerability
Understanding CVE-2019-10091
What is CVE-2019-10091?
When Apache Geode enables TLS with ssl-endpoint-identification-enabled set to true, it fails to verify the hostname of entries in the certificate SAN during the SSL handshake, potentially exposing intra-cluster communication to man-in-the-middle attacks.
The Impact of CVE-2019-10091
This vulnerability could compromise the security of intra-cluster communication within Apache Geode deployments, allowing unauthorized access and interception of sensitive data.
Technical Details of CVE-2019-10091
Vulnerability Description
Apache Geode does not perform hostname verification of entries in the certificate SAN during SSL handshake when TLS is enabled with ssl-endpoint-identification-enabled set to true.
Affected Systems and Versions
- Product: Apache Geode
- Version: Apache Tomcat 1.9.0
Exploitation Mechanism
The vulnerability could be exploited by a man-in-the-middle attacker intercepting intra-cluster communication within Apache Geode deployments.
Mitigation and Prevention
Immediate Steps to Take
- Disable TLS or set ssl-endpoint-identification-enabled to false in Apache Geode configurations.
- Monitor network traffic for any suspicious activities.
Long-Term Security Practices
- Regularly update Apache Geode to the latest version.
- Implement strong encryption and authentication mechanisms for intra-cluster communication.
Patching and Updates
Apply patches provided by Apache Geode to address the TLS hostname verification vulnerability.