Date: Wed, 20 Aug 2014 14:18:02 +1000 From: David Jorm <djorm@...hat.com> To: oss-security@...ts.openwall.com Subject: CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack Hi All I noticed that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. Note that Axis 1 is EOL upstream, and the incomplete patch for CVE-2012-5784 was never merged upstream. It was, however, shipped by various vendors, including Debian and Red Hat. I do not believe Axis 2 is affected. The incomplete patch: https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch Is attached to this issue: https://issues.apache.org/jira/browse/AXIS-2883 The flaw exists in the getCN(String) method. An attacker could craft a subject that includes a CN in a field other than the CN, and this CN would be used when validating the hostname. Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this issue from the Red Hat CNA. I have now made this issue public: https://access.redhat.com/security/cve/CVE-2014-3596 An upstream bug, along with a proposed patch, is available here: https://issues.apache.org/jira/browse/AXIS-2905 Thanks -- David Jorm / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.