Bug 889373 (CVE-2012-5662)

Summary: CVE-2012-5662 x3270: does not properly validate SSL certificates
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dhorak, fweimer, pmattes-bugzilla, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-19 21:58:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 924183, 980316    
Bug Blocks: 889374    

Description Vincent Danen 2012-12-21 00:18:10 UTC
Florian Weimer of the Red Hat Product Security Team reported that x3270 did not properly validate SSL certificates.  If pr3270 connects to a host that has a mismatched hostname in the certificate, it does not warn that there is a problem with the certificate.

For instance if bad.ssl.host points to the same IP as good.ssl.host, and it has an HTTPS certificate with the hostname for good.ssl.host:

$ gnutls-cli bad.ssl.host; echo $?
- The hostname in the certificate does NOT match 'bad.ssl.host'


$ pr3287 L:bad.ssl.host:443; echo $?

Later versions of x3270 introduced certificate chain validation, but the SSL validation support is incomplete, as was demonstrated above (pr3287 will not complain in such a case).

The version of x3270 as provided with Red Hat Enterprise Linux 6 (3.3.6) uses the system root CA store in /etc/pki/tls/cert.pem, with no way of overriding it.  The version as provided with Fedora 17 (3.3.12ga7) on the other hand does provide the -cadir and -cafile options that allow it to be overridden.

Comment 1 Vincent Danen 2012-12-21 17:18:10 UTC
Version 3.3.12 is the first version that actually started doing SSL certificate verification.


Not vulnerable. This issue did not affect the versions of x3270 as shipped with Red Hat Enterprise Linux 5 and 6 as they did not include support for SSL certificate verification.

Comment 2 Vincent Danen 2012-12-21 17:23:20 UTC
Paul, I've assigned a CVE name to this issue (CVE-2012-5662), which would be ideal to use in any upstream commits for a fix.  Likewise, as this is not yet public we would like to coordinate a release date once we have a patch, so that we can inform other vendors prior to making any public commits, releases, or opening this bug up.

Comment 3 Stefan Cornelius 2013-03-21 10:36:40 UTC
Public now and updated upstream packages are available:

Comment 4 Stefan Cornelius 2013-03-21 10:46:52 UTC
Created x3270 tracking bugs for this issue

Affects: fedora-all [bug 924183]