axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Jorm (JIRA)" <axis-...@ws.apache.org>
Subject [jira] [Updated] (AXIS-2905) Insecure certificate validation CVE-2014-3596
Date Tue, 19 Aug 2014 02:12:19 GMT

     [ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Jorm updated AXIS-2905:
-----------------------------

    Attachment: CVE-2014-3596.patch

Proposed patch that resolves both CVE-2012-5784 (AXIS-2883) and CVE-2014-3596

> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
>                 Key: AXIS-2905
>                 URL: https://issues.apache.org/jira/browse/AXIS-2905
>             Project: Axis
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: David Jorm
>         Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN field was flawed. This can
be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433



--
This message was sent by Atlassian JIRA
(v6.2#6252)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message