Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 12 Feb 2013 14:26:49 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

Originally, Common Vulnerabilities and Exposures assigned an
identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments
Service (FPS) merchant Java SDK and other products, does not verify
that the server hostname matches a domain name in the subject's
Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via
an arbitrary valid certificate.

Later it was found, that the SSL hostname verifier implementation 
(CVE-2012-5783 fix) contained a bug in wildcard matching: [1]
https://issues.apache.org/jira/browse/HTTPCLIENT-1255

which still allowed certain type of certificates checks to pass, 
even if they shouldn't.

Relevant upstream patches: [2]
https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213 
(against 4.2.x branch) [3]
https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217 
(against trunk)

References: [4]
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 [5]
https://bugzilla.redhat.com/show_bug.cgi?id=910358

Could you allocate a CVE id for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
Security Response Team

Please use CVE-2012-6127 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGrOZAAoJEBYNRVNeJnmTHhUQAK94liX7ROncLrSLEOsW/tFB
5uQrAdUsrZtR7Tzpk4XaEIgT2wXo/hbvfS8cYo6TPQ6OExYRCfJCEnFLIbtlEC2B
T0p1xOBS1nwvS8/sUOg5Bj63hWRqE/4IY+DOVDD7ik23n5LlWoDllnbvM4FI+JwT
G2U0FW4SfjpX+eb2KmnOHNABXNfMebfUs9gGMRisSLlESjrUWqQJrkAxbZ7osrXb
AHmopz1MuMuY5xQ/FtjsukNXwCBWK/nVZumiqwLBzipA3iGNuxPsT63sUya13eyd
tWFfOR196I/lr8JQfHU2Xui0gMBHuH9qVdhs2taq1FLpnoNN9xG5LWnzG5J9m8dH
xUY/69UitCg6Echum9X9JCWhpNDjC9TV+XWxxmopYATEr5z8cvS45jhz69Vk71B8
ieApYTqZKTgjv5nWEqTS3MkPlb6OTEjatPDuSLl8ZFqNiV1kZ8lXwNFLmqRbverj
+UVEkFk9uFYFbltEiaXgUq248XBwItxoHm/Z1jxwSOOoCF7nLxApFTdz2+7/P/bj
gS0nszMPSMrsULYR2tl70C5jA5HmWfv9eQjAwygD5bjvyCYgH5DXZO9vOa2NfxKN
m8rZNV8ZZ5QVwJ/NqVDx9i2oWG2CP+DYqKjgvSOO3A4OcdxH4TdJEFNCp0hT7paX
vLPbftX9DC9ZA7t2cmKZ
=icmK
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault