Bug 1129935 (CVE-2014-3596)

Summary: CVE-2014-3596 axis: SSL hostname verification bypass, incomplete CVE-2012-5784 fix
Product: [Other] Security Response Reporter: David Jorm <djorm>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: andjrobins, bdawidow, bmcclain, chazlett, cperry, dblechte, drieden, epp-bugs, grocha, idith, java-maint, jpallich, jrusnack, krzysztof.daniel, lsurette, mgoldman, michal.skrivanek, mjc, mmcgrath, mweiler, nobody+bgollahe, ohudlick, pcheung, Rhev-m-bugs, security-response-team, srevivo, theute, weli, ykaul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:34:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1129971, 1129979, 1129980, 1129981, 1129982, 1129983, 1129984, 1129985, 1129986, 1129987, 1129988, 1129989, 1129993, 1129995, 1134761, 1134762, 1219514    
Bug Blocks: 1130120, 1134386, 1196328, 1220827    

Description David Jorm 2014-08-14 03:27:37 UTC 
It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.
Comment 1 David Jorm 2014-08-14 03:31:13 UTC 
Statement:

Note that Axis 1 is EOL upstream, and the incomplete patch for CVE-2012-5784 was never merged upstream. It was, however, shipped by various vendors, including Debian and Red Hat. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1164433

Acknowledgements:

This issue was discovered by David Jorm and Arun Neelicattu of Red Hat Product Security.
Comment 3 David Jorm 2014-08-19 00:46:17 UTC 
Upstream bug:

https://issues.apache.org/jira/browse/AXIS-2905

Proposed upstream patch:

https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch
Comment 4 Tomas Hoger 2014-08-27 12:44:16 UTC 
The original issue CVE-2012-5784 was tracked via bug 873252.

This problem is similar to Apache HttpComponents Client / Apache/Jakarta Commons HttpClient issue CVE-2014-3577, see bug 1129074 comment 23 for technical details.
Comment 6 Martin Prpič 2014-09-04 09:52:21 UTC 
IssueDescription:

It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
Comment 7 errata-xmlrpc 2014-09-15 15:40:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1193 https://rhn.redhat.com/errata/RHSA-2014-1193.html
Comment 9 errata-xmlrpc 2015-05-14 15:14:17 UTC 
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1010 https://rhn.redhat.com/errata/RHSA-2015-1010.html