Bug 873317 (CVE-2012-5783)
| Summary: | CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agrimm, aileenc, aneelica, chazlett, david, djorm, fnasser, fweimer, hghasemb, java-maint, jpazdziora, llierheimer, mizdebsk, pcheung |
| Target Milestone: | --- | Keywords: | Reopened, Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: |
It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-02-27 18:48:51 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 873319, 887662, 887663, 887664, 887665, 887666, 887667, 887668, 887669, 887670, 887671, 887672, 953308, 1053968, 1053969, 1053970, 1053971, 1053972, 1053973, 1053974, 1053975, 1053976, 1053977, 1054567, 1054568 | ||
| Bug Blocks: | 873321, 953709, 956239, 980652, 1054573 | ||
|
Description
Jan Lieskovsky
2012-11-05 14:37:59 UTC
Created jakarta-commons-httpclient tracking bugs for this issue Affects: fedora-all [bug 873319] Upstream ticket for 4.x: [4] https://issues.apache.org/jira/browse/httpclient-613 and relevant patch for 4.x: [5] http://svn.apache.org/viewvc?view=revision&revision=483925 This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Red Hat Enterprise Linux 5 and 6. Upstream bug: https://issues.apache.org/jira/browse/HTTPCLIENT-1265 Upstream patch commit: https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573 jakarta-commons-httpclient-3.1-12.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. jakarta-commons-httpclient-3.1-12.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. jakarta-commons-httpclient-3.1-12.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:0270 https://rhn.redhat.com/errata/RHSA-2013-0270.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2013:0679 https://rhn.redhat.com/errata/RHSA-2013-0679.html This issue has been addressed in following products: JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 Via RHSA-2013:0682 https://rhn.redhat.com/errata/RHSA-2013-0682.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2013:0681 https://rhn.redhat.com/errata/RHSA-2013-0681.html This issue has been addressed in following products: JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 6 Via RHSA-2013:0680 https://rhn.redhat.com/errata/RHSA-2013-0680.html This issue has been addressed in following products: JBoss Web Framework Kit 2.2.0 Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html This issue has been addressed in following products: Red Hat JBoss BRMS 5.3.1 Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html This issue has been addressed in following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html This issue has been addressed in following products: Red Hat JBoss Operations Network 3.2.0 Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html This issue has been addressed in following products: RHEV Manager version 3.3 Via RHSA-2014:0224 https://rhn.redhat.com/errata/RHSA-2014-0224.html Multiple problems were discovered in the fix for this issue, which got separate CVE ids assigned and are tracked via separate bug reports - CVE-2012-6153 (bug 1129916) and CVE-2014-3577 (bug 1129074). This issue has been addressed in the following products: Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868 This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868 This issue has been addressed in the following products: Red Hat Fuse 7.12 Via RHSA-2023:3954 https://access.redhat.com/errata/RHSA-2023:3954 |