Bug 873317 (CVE-2012-5783)

Summary: CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, aneelica, david, djorm, fnasser, fweimer, java-maint, jpazdziora, llierheimer, mizdebsk, pcheung
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121016,reported=20121104,source=cve,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhel-5/jakarta-commons-httpclient=affected,rhel-6/jakarta-commons-httpclient=affected,fedora-all/jakarta-commons-httpclient=affected,sam-1/candlepin=notaffected,brms-5/jakarta-commons-httpclient=affected,epp-5/jakarta-commons-httpclient=wontfix,soap-5/jakarta-commons-httpclient=affected,jon-3.1/jakarta-commons-httpclient=affected,wfk-2/jakarta-commons-httpclient=affected,jbews-1/jakarta-commons-httpclient=wontfix,epp-4/jakarta-commons-httpclient=wontfix,soap-4.2/jakarta-commons-httpclient=wontfix,soap-4.3/jakarta-commons-httpclient=wontfix,rhn_satellite_5.0/jakarta-commons-httpclient=wontfix,rhn_satellite_5.1/jakarta-commons-httpclient=wontfix,rhn_satellite_5.2/jakarta-commons-httpclient=wontfix,rhn_satellite_5.3/jakarta-commons-httpclient=wontfix,rhev-m-3/redhat-support-plugin-rhev=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-27 13:48:51 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 873319, 887662, 887663, 887664, 887665, 887666, 887667, 887668, 887669, 887670, 887671, 887672, 953308, 1053968, 1053969, 1053970, 1053971, 1053972, 1053973, 1053974, 1053975, 1053976, 1053977, 1054567, 1054568    
Bug Blocks: 873321, 953709, 956239, 980652, 1054573    

Description Jan Lieskovsky 2012-11-05 09:37:59 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate.

References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
Comment 1 Jan Lieskovsky 2012-11-05 09:40:58 EST
Created jakarta-commons-httpclient tracking bugs for this issue

Affects: fedora-all [bug 873319]
Comment 3 Jan Lieskovsky 2012-11-15 11:23:58 EST
Upstream ticket for 4.x:
[4] https://issues.apache.org/jira/browse/httpclient-613

and relevant patch for 4.x:
[5] http://svn.apache.org/viewvc?view=revision&revision=483925
Comment 9 Jan Lieskovsky 2012-11-15 12:33:37 EST
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 28 Fedora Update System 2013-02-01 11:27:09 EST
jakarta-commons-httpclient-3.1-12.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2013-02-01 11:45:28 EST
jakarta-commons-httpclient-3.1-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2013-02-01 11:49:43 EST
jakarta-commons-httpclient-3.1-12.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2013-02-19 17:21:43 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0270 https://rhn.redhat.com/errata/RHSA-2013-0270.html
Comment 35 errata-xmlrpc 2013-03-25 13:04:44 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0679 https://rhn.redhat.com/errata/RHSA-2013-0679.html
Comment 36 errata-xmlrpc 2013-03-25 13:16:28 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0682 https://rhn.redhat.com/errata/RHSA-2013-0682.html
Comment 37 errata-xmlrpc 2013-03-25 13:16:35 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0681 https://rhn.redhat.com/errata/RHSA-2013-0681.html
Comment 38 errata-xmlrpc 2013-03-25 13:17:12 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0680 https://rhn.redhat.com/errata/RHSA-2013-0680.html
Comment 39 errata-xmlrpc 2013-04-22 17:27:20 EDT
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.2.0

Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html
Comment 40 errata-xmlrpc 2013-07-01 11:14:54 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
Comment 41 errata-xmlrpc 2013-08-08 13:08:21 EDT
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html
Comment 42 errata-xmlrpc 2013-12-17 13:37:50 EST
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
Comment 48 errata-xmlrpc 2014-02-27 13:33:49 EST
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0224 https://rhn.redhat.com/errata/RHSA-2014-0224.html
Comment 50 Tomas Hoger 2014-08-25 08:43:32 EDT
Multiple problems were discovered in the fix for this issue, which got separate CVE ids assigned and are tracked via separate bug reports - CVE-2012-6153 (bug 1129916) and CVE-2014-3577 (bug 1129074).