Bug 1129074 (CVE-2014-3577)
| Summary: | CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abenaiss, acathrow, aileenc, alazarot, aneelica, aos-bugs, asantos, asoldano, bbaranow, bdawidow, bkearney, bleanhar, bmcclain, bmontgom, brms-jira, ccoleman, cdewolf, chazlett, chrisw, cpelland, cperry, dandread, darran.lofthouse, david, dblechte, djorm, dmcphers, dmoppert, drieden, eparis, epp-bugs, etirelli, fnasser, grocha, gvarsami, huwang, idith, jason.greene, java-maint, java-sig-commits, jawilson, jbpapp-maint, jburrell, jclere, jcoleman, jdg-bugs, jdoyle, jerboaa, jialiu, jkeck, jokerman, jolee, jorton, jpallich, jrusnack, kanderso, katello-bugs, kconner, kejohnso, krzysztof.daniel, ldimaggi, lgao, lmeyer, lpetrovi, lsurette, mbaluch, michal.skrivanek, mizdebsk, mjc, mmaslano, mmccomas, mmccune, msrb, mweiler, mwinkler, myarboro, nlevinki, nobody+bgollahe, nstielau, nwallace, ohudlick, pbhattac, pcheung, pgier, pslavice, qe-baseos-apps, rfortier, Rhev-m-bugs, rhq-maint, rhs-bugs, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, sgehwolf, sisharma, soa-p-jira, spandura, spinder, sponnaga, sradco, srevivo, ssaha, tcunning, theute, tkirby, ttarrant, vbellur, vhalbert, vtunka, weli, wmealing, ykaul |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | httpcomponents-client 4.3.5 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:34:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1138482, 1129117, 1129118, 1129119, 1129120, 1129121, 1129122, 1129123, 1129124, 1129125, 1129126, 1129127, 1129128, 1129129, 1129130, 1129131, 1129132, 1129133, 1129134, 1129135, 1129136, 1129137, 1129138, 1129139, 1129140, 1129141, 1129142, 1129143, 1129144, 1129145, 1129146, 1129147, 1129148, 1129149, 1129150, 1129151, 1129152, 1129154, 1129155, 1129156, 1129157, 1129158, 1129159, 1129160, 1129161, 1129162, 1129163, 1129164, 1129165, 1129166, 1129167, 1129168, 1129169, 1129170, 1129172, 1129173, 1129174, 1129175, 1129176, 1129177, 1129178, 1129179, 1129180, 1129182, 1129183, 1129185, 1129186, 1129187, 1129188, 1129209, 1129626, 1130941, 1130942, 1131288, 1134720, 1134722, 1143782, 1143783, 1143784, 1143833, 1155308, 1155309, 1155310, 1155311, 1155312, 1155313, 1155314, 1155315, 1155316, 1155317, 1155318, 1155319, 1155320, 1155321, 1155322, 1155323, 1155324, 1155325, 1155326, 1156068, 1156076, 1156077, 1156078, 1156079, 1156080, 1160700, 1160701, 1161455, 1168613, 1537778, 1666895, 2015091 | ||
| Bug Blocks: | 1128968, 1129378, 1129383, 1130924, 1130962, 1131741, 1134386, 1139455, 1151585, 1155883, 1155884, 1159092, 1181883, 1182400, 1182419, 1183452, 1187398, 1200191, 1210482, 1232965, 1244362, 1244363, 1320308, 1679418 | ||
|
Description
Arun Babu Neelicattu
2014-08-12 08:21:09 UTC
Statement: Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1165533 This issue affects the versions of HttpComponents Client as shipped with Red Hat JBoss Data Grid 6 and Red Hat JBoss Data Virtualization 6; and ModeShape Client as shipped with Red Hat JBoss Data Virtualization 6. However, this flaw is not known to be exploitable under any supported scenario in Red Hat JBoss Data Grid 6 and JBoss Data Virtualization 6. A future update may address this issue. Red Hat JBoss Enterprise Application Platform 4, Red Hat JBoss SOA Platform 4, and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/ Upstream Commits: HttpClient/trunk http://svn.apache.org/viewvc?view=revision&revision=1614065 http://svn.apache.org/viewvc?view=revision&revision=1614270 HttpClient/4.3.x Branch http://svn.apache.org/viewvc?view=revision&revision=1614064 http://svn.apache.org/viewvc?view=revision&revision=1614271 HttpAsyncClient/4.0.x Branch http://svn.apache.org/viewvc?view=revision&revision=1615302 Note that upstream identifies HttpAsyncClient as being vulnerable to this issue. However, do note that the HttpAsyncClient artifacts themselves are only affected via a transient dependency on a vulnerable version of HttpClient (older than 4.3.5). This issue was introduced upstream via [1]. However, note that all versions prior to 4.2.3 is vulnerable to CVE-2012-6153. [1] http://svn.apache.org/viewvc?view=revision&revision=1411705 Affects: org.apache.httpcomponents:httpclient >= 4.2.3, <= 4.3.4 Created httpcomponents-client tracking bugs for this issue: Affects: fedora-all [bug 1130942] Created jakarta-commons-httpclient tracking bugs for this issue: Affects: fedora-all [bug 1130941] IssueDescription: It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Via RHSA-2014:1082 https://rhn.redhat.com/errata/RHSA-2014-1082.html The original issue CVE-2012-6153 is tracked via bug 1129916. It also is an incomplete fix CVE for CVE-2012-5783 (bug 873317). In addition to the problem corrected in the fixed that got CVE-2012-6153 assigned (see bug 1129916 comment 20), the additional problem was found with the code that was used to extract Common Name (CN) from an X.509 certificate subject. Use of comma used as part of the subject attribute value could confuse tokenizer to split subject and attempt to match "CN=" string in the middle of some other attribute value. Upstream advisory (linked in comment 15 above) uses the following example: O="foo,CN=www.apache.org" www.apache.org was incorrectly extracted as valid CN from such subject. jakarta-commons-httpclient-3.1-15.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. jakarta-commons-httpclient-3.1-15.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. httpcomponents-client-4.2.5-4.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. httpcomponents-client-4.2.5-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 7 Via RHSA-2014:1146 https://rhn.redhat.com/errata/RHSA-2014-1146.html This issue has been addressed in following products: JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 7 Via RHSA-2014:1162 https://rhn.redhat.com/errata/RHSA-2014-1162.html This issue has been addressed in following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1163 https://rhn.redhat.com/errata/RHSA-2014-1163.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 5 Via RHSA-2014:1166 https://rhn.redhat.com/errata/RHSA-2014-1166.html This issue has been addressed in the following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2014:1322 https://rhn.redhat.com/errata/RHSA-2014-1322.html This issue has been addressed in the following products: JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 4 Via RHSA-2014:1320 https://rhn.redhat.com/errata/RHSA-2014-1320.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:1323 https://rhn.redhat.com/errata/RHSA-2014-1323.html This issue has been addressed in the following products: JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 6 Via RHSA-2014:1321 https://rhn.redhat.com/errata/RHSA-2014-1321.html CXF upstream commits: master: https://github.com/apache/cxf/commit/68cd67b1187edfca957f15a00eab9a14cd140672 3.0.x: https://github.com/apache/cxf/commit/35f28c58db0247f841afa74b86a94a84923f3328 2.7.x: https://github.com/apache/cxf/commit/e227a1a9ee536a33c550683405a766bf5e906873 This issue has been addressed in the following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:1836 https://rhn.redhat.com/errata/RHSA-2014-1836.html This issue has been addressed in the following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2014:1835 https://rhn.redhat.com/errata/RHSA-2014-1835.html This issue has been addressed in the following products: JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 Via RHSA-2014:1834 https://rhn.redhat.com/errata/RHSA-2014-1834.html This issue has been addressed in the following products: JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 4 Via RHSA-2014:1833 https://rhn.redhat.com/errata/RHSA-2014-1833.html This issue has been addressed in the following products: JBoss BPM Suite 6.0.3 Via RHSA-2014:1892 https://rhn.redhat.com/errata/RHSA-2014-1892.html This issue has been addressed in the following products: JBoss BRMS 6.0.3 Via RHSA-2014:1891 https://rhn.redhat.com/errata/RHSA-2014-1891.html This issue has been addressed in the following products: JBoss Operations Network 3.3.0 Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.2 Via RHSA-2014:2020 https://rhn.redhat.com/errata/RHSA-2014-2020.html This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 7 Via RHSA-2014:2019 https://rhn.redhat.com/errata/RHSA-2014-2019.html This issue has been addressed in the following products: JBoss Web Framework Kit 2.7.0 Via RHSA-2015:0125 https://rhn.redhat.com/errata/RHSA-2015-0125.html This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0158 https://rhn.redhat.com/errata/RHSA-2015-0158.html This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html This issue has been addressed in the following products: Red Hat JBoss A-MQ 6.2.0 Via RHSA-2015:1177 https://rhn.redhat.com/errata/RHSA-2015-1177.html This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html This issue has been addressed in the following products: Red Hat OpenShift Enterprise 2.2 Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html This issue has been addressed in the following products: Red Hat JBoss Fuse and A-MQ 6.2.1 Rollup Patch 4, Via RHSA-2016:1931 https://rhn.redhat.com/errata/RHSA-2016-1931.html This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:0055 https://access.redhat.com/errata/RHSA-2022:0055 |