Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request -- jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 12 Feb 2013 17:29:16 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/12/2013 02:26 PM, Kurt Seifried wrote:
On 02/12/2013 06:23 AM, Jan Lieskovsky wrote:
Hello Kurt, Steve, vendors,

Originally, Common Vulnerabilities and Exposures assigned an 
identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible
Payments Service (FPS) merchant Java SDK and other products, does
not verify that the server hostname matches a domain name in the
subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows man-in-the-middle attackers to spoof
SSL servers via an arbitrary valid certificate.

Later it was found, that the SSL hostname verifier implementation
 (CVE-2012-5783 fix) contained a bug in wildcard matching: [1] 
https://issues.apache.org/jira/browse/HTTPCLIENT-1255

which still allowed certain type of certificates checks to pass,
 even if they shouldn't.

Relevant upstream patches: [2] 
https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213
 (against 4.2.x branch) [3] 
https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217
 (against trunk)

References: [4] 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268 [5] 
https://bugzilla.redhat.com/show_bug.cgi?id=910358

Could you allocate a CVE id for this?

Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat 
Security Response Team

Please use CVE-2012-6127 for this issue.

Ok I should have looked into this deeper, it looks like it may not be
a security issue but I'm not 100% certain, so for now I will leave
this, and if someone can show there is no security impact I'll reject
it. Sorry for the mixup.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRGt5bAAoJEBYNRVNeJnmT7jAQANpKfrw1Y/swmvQAUNQZEQOF
2eKGEqhghw/A28Fz0Yu9vb8ai9A8fqSsWY+U9TOuxgdGonawkhouB2Vm61PxT31O
QkNqaNfhOeUJhYCSKFucIgqVkYysSguUhnNbvTSkxpdQqrpoai+1OovdFF51n+eo
ESHAikn5eLqZUMj2zJV5HfRpM4jDUDkl1l0Oe8so5tLLMhcFZlr4ColRirCyYSSl
31hXDesfMRjN6ZDLEVLgQ+0sj80KSQPoP/ZcztCH4nwuvKoMllkKFL8vTo0EYEdA
lm9DSxDng0e6EEHCSIH9R7puk2uhfmegRunFtlr7Xz1xGUoV0bG5fK2b9OiqmFY4
oxUpgNq78N2TECe6Yq5luOwtKaN9Y04Qn+ZnpM6mKfbhnc/3hHo+hef4rEnRPmGc
xcHymh0oHNL5IWYhxp5jA+m43jLp8HPOzDtTHgft5CGcWP8ncXD90jQG+N+h7CUl
veNGjVZoZhTqQ1P4iWSSiyrlBqkOsWgNsZfcAptapf0C2nC9Lq8INHy7ABDEPL3V
pUZi9gj+CEAMyUWqSo28fCvk0Q1YbUeUkyXf4lO5eu9Ryw/Fp3XE6oZ7ft7YBO3Z
rcxG5Q10gcDIWjX3NFnj1EflpXsqrfL6Bc5tBL5zzGtJBOTtqAXpiuzyKgdSAO/U
tCxu2w7Hped3SDP/2SGM
=tPhD
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]