Compliance Impact

This vulnerability causes the trustedCertPool() function to only parse the first PEM block from CA certificate files, which breaks certificate chain validation for mutual TLS (mTLS).

Since mTLS is used to ensure secure and authenticated communication, this flaw could weaken the security posture of systems relying on Oxia, potentially impacting compliance with standards and regulations that require strong encryption and authentication mechanisms, such as GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in Oxia, a metadata store and coordination system, in versions prior to 0.16.2. The issue is in the trustedCertPool() function used in the TLS configuration, which only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates, such as intermediate and root CA certificates, only the first certificate is loaded. This causes the certificate chain validation for mutual TLS (mTLS) to silently fail.

Useful 0 Not Useful 0

Impact Analysis

Because only the first certificate in a CA bundle is loaded, the certificate chain validation for mTLS is broken. This means that the system may incorrectly trust or reject certificates during TLS handshakes, potentially allowing unauthorized access or causing legitimate connections to fail. This undermines the security guarantees of mTLS, which relies on proper certificate chain validation to authenticate parties.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade Oxia to version 0.16.2 or later, where the trustedCertPool() function correctly parses all PEM blocks in CA certificate files, ensuring proper certificate chain validation for mTLS.

Useful 0 Not Useful 0