Bug 1709379 (CVE-2018-20200)

Summary: CVE-2018-20200 okhttp: certificate pinning bypass
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, ahardin, aileenc, akoufoud, alazarot, almorale, anstephe, aos-bugs, avibelli, bgeorges, bleanhar, bmontgom, ccoleman, chazlett, cmoulliard, dedgar, drieden, eparis, etirelli, fedora, ibek, ikanello, janstey, java-sig-commits, jbalunas, jburrell, jcantril, jgoulding, jochrist, jokerman, jpallich, jshepherd, krathod, kverlaen, lthon, mchappel, mizdebsk, mnovotny, mszynkie, nstielau, paradhya, pdrozd, pgallagh, pjindal, puntogil, rrajasek, rruss, rsynek, sdaley, sfowler, sponnaga, sthorger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-11 01:24:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1709380    
Bug Blocks: 1709384    

Description msiddiqu 2019-05-13 13:35:19 UTC 
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.

Upstream issue:

https://github.com/square/okhttp/issues/4967

References:

https://cxsecurity.com/issue/WLB-2018120252 
https://github.com/square/okhttp/commits/master 
https://github.com/square/okhttp/releases 
https://square.github.io/okhttp/3.x/okhttp/
Comment 1 msiddiqu 2019-05-13 13:35:35 UTC 
Created okhttp tracking bugs for this issue:

Affects: fedora-all [bug 1709380]
Comment 3 Sam Fowler 2019-09-19 05:18:49 UTC 
Statement:

OkHttp is used by OpenShift Container Platform in the Aggregated Logging stack. This issue is not considered a vulnerability for OpenShift Container Platform as the prerequisite for exploitation is the ability to inject code into the application.
Comment 5 Product Security DevOps Team 2019-12-11 01:24:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20200