Date: Wed, 20 Aug 2014 14:18:02 +1000 From: David Jorm <djorm@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack Hi All I noticed that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. Note that Axis 1 is EOL upstream, and the incomplete patch for CVE-2012-5784 was never merged upstream. It was, however, shipped by various vendors, including Debian and Red Hat. I do not believe Axis 2 is affected. The incomplete patch: https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch Is attached to this issue: https://issues.apache.org/jira/browse/AXIS-2883 The flaw exists in the getCN(String) method. An attacker could craft a subject that includes a CN in a field other than the CN, and this CN would be used when validating the hostname. Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this issue from the Red Hat CNA. I have now made this issue public: https://access.redhat.com/security/cve/CVE-2014-3596 An upstream bug, along with a proposed patch, is available here: https://issues.apache.org/jira/browse/AXIS-2905 Thanks -- David Jorm / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ