[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack
From: David Jorm <djorm () redhat ! com>
Date: 2014-08-20 4:18:02
Message-ID: 53F4217A.203 () redhat ! com
[Download RAW message or body]
Hi All
I noticed that the fix for CVE-2012-5784 was incomplete. The code added
to check that the server hostname matches the domain name in the
subject's CN field was flawed. This can be exploited by a
Man-in-the-middle (MITM) attack where the attacker can spoof a valid
certificate using a specially crafted subject.
Note that Axis 1 is EOL upstream, and the incomplete patch for
CVE-2012-5784 was never merged upstream. It was, however, shipped by
various vendors, including Debian and Red Hat. I do not believe Axis 2
is affected.
The incomplete patch:
https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch
Is attached to this issue:
https://issues.apache.org/jira/browse/AXIS-2883
The flaw exists in the getCN(String) method. An attacker could craft a
subject that includes a CN in a field other than the CN, and this CN
would be used when validating the hostname.
Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this
issue from the Red Hat CNA. I have now made this issue public:
https://access.redhat.com/security/cve/CVE-2014-3596
An upstream bug, along with a proposed patch, is available here:
https://issues.apache.org/jira/browse/AXIS-2905
Thanks
--
David Jorm / Red Hat Product Security
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic