Home page logo

oss-sec logo oss-sec mailing list archives

CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Tue, 12 Feb 2013 08:23:08 -0500 (EST)

Hello Kurt, Steve, vendors,

  Originally, Common Vulnerabilities and Exposures
assigned an identifier CVE-2012-5783 to the following

Apache Commons HttpClient 3.x, as used in Amazon Flexible
Payments Service (FPS) merchant Java SDK and other products,
does not verify that the server hostname matches a domain
name in the subject's Common Name (CN) or subjectAltName field
of the X.509 certificate, which allows man-in-the-middle
attackers to spoof SSL servers via an arbitrary valid certificate.

Later it was found, that the SSL hostname verifier implementation
(CVE-2012-5783 fix) contained a bug in wildcard matching:
[1] https://issues.apache.org/jira/browse/HTTPCLIENT-1255

which still allowed certain type of certificates checks to pass,
even if they shouldn't.

Relevant upstream patches:
[2] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213
    (against 4.2.x branch)
[3] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217
    (against trunk)

[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268
[5] https://bugzilla.redhat.com/show_bug.cgi?id=910358

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]