Headline
GHSA-3xgr-h5hq-7299: GeoIP processor disables SSL certificate validation when downloading databases
Impact
The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.
The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:
- Accepted all SSL certificates without validation
- Disabled server certificate verification
- Disabled client certificate verification
- Disabled hostname verification
This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.
Patches
Data Prepper 2.12.2 contains a fix for this issue.
Workarounds
If upgrading is not immediately possible:
- Use local GeoIP database files instead of downloading from HTTP URLs
- Ensure database downloads occur only over trusted networks
Impact
The GeoIP processor in Data Prepper was configured to trust all SSL certificates and disable hostname verification when downloading GeoIP databases from HTTP URLs, making downloads vulnerable to man-in-the-middle attacks.
The GeoIP processor included a custom SSL implementation that completely bypassed certificate validation when downloading GeoIP databases from external sources. The initiateSSL() method incorrectly implemented an approach for trusting all certificates. Specifically it:
- Accepted all SSL certificates without validation
- Disabled server certificate verification
- Disabled client certificate verification
- Disabled hostname verification
This configuration made database downloads vulnerable to man-in-the-middle attacks, potentially allowing attackers to serve malicious GeoIP databases that could compromise the integrity of geolocation data processing.
Patches
Data Prepper 2.12.2 contains a fix for this issue.
Workarounds
If upgrading is not immediately possible:
- Use local GeoIP database files instead of downloading from HTTP URLs
- Ensure database downloads occur only over trusted networks
References
- GHSA-3xgr-h5hq-7299
- opensearch-project/data-prepper@b82ea06