cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Md Mahir Asef Kabir (Jira)" <j...@apache.org>
Subject [jira] [Updated] (CLOUDSTACK-10421) Usage of Empty TrustManager Methods is insecure
Date Fri, 08 May 2020 18:48:00 GMT

     [ https://issues.apache.org/jira/browse/CLOUDSTACK-10421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Md Mahir Asef Kabir updated CLOUDSTACK-10421:
---------------------------------------------
    Description: 
*Vulnerability Description:* In “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”,
inside private static class TrustAllTrustManager implements TrustManager, X509TrustManager,
the overridden methods have no body - 

{code:java}
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException

{code}


*Reason it’s vulnerable:* If a method responsible for checking certificates doesn’t have
any body, then it will trust all certificates.


*Suggested Fix:* Adding necessary certificate verification logic in the overridden methods.
This is an example code showing a format that can be used and modified appropriately to implement
the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .


*Feedback:* Please select any of the options down below to help us get an idea about how you
felt about the suggestion - 

# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful

  was:
*Vulnerability Description:* In “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”,
inside private static class TrustAllTrustManager implements TrustManager, X509TrustManager,
the overridden methods have no body - 

{code:java}
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException

{code}


*Reason it’s vulnerable:* If a method responsible for checking certificates doesn’t have
any body, then it will trust all certificates.


*Suggested Fix:* Adding necessary certificate verification logic in the overridden methods.


*Feedback:* Please select any of the options down below to help us get an idea about how you
felt about the suggestion - 

# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful


> Usage of Empty TrustManager Methods is insecure
> -----------------------------------------------
>
>                 Key: CLOUDSTACK-10421
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10421
>             Project: CloudStack
>          Issue Type: Improvement
>      Security Level: Public(Anyone can view this level - this is the default.) 
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> *Vulnerability Description:* In “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”,
inside private static class TrustAllTrustManager implements TrustManager, X509TrustManager,
the overridden methods have no body - 
> {code:java}
> public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
> public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException
> {code}
> *Reason it’s vulnerable:* If a method responsible for checking certificates doesn’t
have any body, then it will trust all certificates.
> *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods.
This is an example code showing a format that can be used and modified appropriately to implement
the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .
> *Feedback:* Please select any of the options down below to help us get an idea about
how you felt about the suggestion - 
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message