Oxia Metadata Store and Coordination System TLS Certificate Chain Validation Vulnerability

A vulnerability in Oxia versions prior to 0.16.2 allows the TLS configuration's trustedCertPool() function to improperly handle CA certificate files containing multiple certificates. Only the first certificate in the PEM bundle is loaded, which can disrupt certificate chain validation for mutual TLS (mTLS) deployments. This issue arises because the trustedCertPool() method only processes a single PEM block, discarding any additional certificates without error, leading to a broken validation chain for mTLS.

Impact

This vulnerability causes deployments using mTLS with certificate chains to reject legitimate clients with properly chained certificates, displaying an error that the certificate is signed by an unknown authority. This failure makes mTLS unusable with standard CA chain configurations, potentially forcing operators to disable client certificate verification.

Remediation

Users can upgrade to Oxia version 0.16.2 or later to address this vulnerability. Alternatively, for versions prior to 0.16.2, CA files can be used that contain only a single certificate, specifically the direct issuer of client certificates, rather than a chain.