Bug 1127276 (CVE-2014-5075)

Summary: CVE-2014-5075 smack: MitM vulnerability
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brms-jira, chazlett, grocha, java-sig-commits, pavelp, tkirby, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: smack-core 4.0.2, smack-tcp 4.0.2, smack 4.0.2 Doc Type: Bug Fix
Doc Text:
It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-01-21 21:04:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1127277    
Bug Blocks: 1127281, 1232965    

Description Vasyl Kaigorodov 2014-08-06 14:07:38 UTC
It was reported [1] that Smack (XMPP client library) is vulnerable to MitM attacks with a crafted SSL certificates.
Quote from [1]:

Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.

In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
(CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363)
and has been removed in Smack 4.0.0.

Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname

[1]: http://seclists.org/bugtraq/2014/Aug/29

Comment 1 Vasyl Kaigorodov 2014-08-06 14:08:02 UTC
Created smack tracking bugs for this issue:

Affects: fedora-all [bug 1127277]

Comment 3 Fedora Update System 2014-09-02 06:45:50 UTC
smack-3.2.2-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 errata-xmlrpc 2015-06-23 16:53:09 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.2.0

Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html