====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN025
_____________________________________________________________________

DATE                : 16/01/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Beam versions 2.10.x prior
                                   to 2.17.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202001.mbox/%3cCAE7Uba-PjPu5G-6F9k5WdkB=OEj5H8MvO8YtSKXfKCAme2tvOg@mail.gmail.com%3e
_____________________________________________________________________

CVE-2020-1929 Apache Beam MongoDB IO connector disables certificate
trust verification

Severity: Major
Vendor: The Apache Software Foundation

Versions Affected:
Apache Beam 2.10.0 to 2.16.0

Description:
The Apache Beam MongoDB connector in versions 2.10.0 to 2.16.0 has an
option to disable SSL trust verification. However this configuration is
not respected and the certificate verification disables trust
verification in every case. This exclusion also gets registered globally
which disables trust checking for any code running in the same JVM.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Beam 2.17.0 or later

Acknowledgements:
This issue was reported (and fixed) by Colm Ó hÉigeartaigh.


=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================