logo

Database

Insecure digital certificates In org.opensearch.dataprepper.plugins:geoip-processor

Description

GeoIP processor disables SSL certificate validation when downloading databases

Impact

The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.

The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:

    Accepted all SSL certificates without validation

    Disabled server certificate verification

    Disabled client certificate verification

    Disabled hostname verification

This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.

Patches

Data Prepper 2.12.2 contains a fix for this issue.

Workarounds

If upgrading is not immediately possible:

    Use local GeoIP database files instead of downloading from HTTP URLs

    Ensure database downloads occur only over trusted networks

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-3xgr-h5hq-72992. GCVE-GHSA-3xgr-h5hq-7299

References

1. https://github.com/opensearch-project/data-prepper/security/advisories/GHSA-3xgr-h5hq-72992. https://github.com/opensearch-project/data-prepper/commit/b82ea0640d98d9f4c742622325faeeb6248ee135

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.