[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack
From:       David Jorm <djorm () redhat ! com>
Date:       2014-08-20 4:18:02
Message-ID: 53F4217A.203 () redhat ! com
[Download RAW message or body]

Hi All

I noticed that the fix for CVE-2012-5784 was incomplete. The code added 
to check that the server hostname matches the domain name in the 
subject's CN field was flawed. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can spoof a valid 
certificate using a specially crafted subject.

Note that Axis 1 is EOL upstream, and the incomplete patch for 
CVE-2012-5784 was never merged upstream. It was, however, shipped by 
various vendors, including Debian and Red Hat. I do not believe Axis 2 
is affected.

The incomplete patch:

https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch

Is attached to this issue:

https://issues.apache.org/jira/browse/AXIS-2883

The flaw exists in the getCN(String) method. An attacker could craft a 
subject that includes a CN in a field other than the CN, and this CN 
would be used when validating the hostname.

Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this 
issue from the Red Hat CNA. I have now made this issue public:

https://access.redhat.com/security/cve/CVE-2014-3596

An upstream bug, along with a proposed patch, is available here:

https://issues.apache.org/jira/browse/AXIS-2905

Thanks
--
David Jorm / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]