Community
Participate
Working Groups
Hello, I am a member of the Bosch PSIRT and I am writing to you because a vulnerability was found by developers of an Android application related to one of our products which is related to a known hostname validation vulnerability in the MQTT library. The fix for the Bosch app is already under development and a security update will be released soon, but we found out that the vulnerability in the MQTT library, despite beinn known, does not have an associated CVE: https://github.com/eclipse/paho.mqtt.java/issues/506 Therefore, we kindly request that you generate a CVE in order to document this vulnerability for future development. We understand that this vulnerability has been fixed in the latest version of the library. However, according to our developers, they need to use an older version because the current one does not support Android 7. Please do not hesitate to contact me if you need more details about this, I will be happy to clarify any question with the development team. The overall aim is to do a responsible disclosure of both, the vulnerability and the fix so it is taken in account for future projects. Kind Regards Carolina Adaros Bosch PSIRT
Thanks for submitting I will get one created.
Hi Carolina. Can you tell me exactly which version of the Paho library you do need to use, and why the latest version (1.2.1) does not work on Android 7? Thanks.
project: Eclipse Paho - Java client library version: [1.2.0] cwe: CWE-346: Origin Validation Error summary: In the Eclipse Paho Java client library version 1.2.0, when connecting to an MQTT server using TLS and setting a host name verifier, the result of that verification is not checked. This could allow one MQTT server to impersonate another and provide the client library with incorrect information.
Fixed in version 1.2.1
We'll assign CVE-2019-11777
Pull request: https://github.com/CVEProject/cvelist/pull/2537
Thanks Wayne. https://nvd.nist.gov/vuln/detail/CVE-2019-11777