axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Veithen (JIRA)" <>
Subject [jira] [Issue Comment Deleted] (AXIS-2905) Insecure certificate validation CVE-2014-3596
Date Mon, 26 Sep 2016 07:41:21 GMT


Andreas Veithen updated AXIS-2905:
    Comment: was deleted

(was: doesnt compile with JDK 1.8.0_40-b26

Warning: Binary file .\javax\security\cert\X509Certificate contains
  public abstract getSubjectDN();

suggest backing out patch or reverting to previous version asap)

> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>                 Key: AXIS-2905
>                 URL:
>             Project: Axis
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: David Jorm
>         Attachments: CVE-2014-3596.patch
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN field was flawed. This can
be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
> For more details, see:

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message