Bug 910358

Summary: jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agrimm, akurtako, bkearney, brms-jira, candlepin-bugs, ccrouch, cpelland, david, epp-bugs, jbpapp-maint, jomara, jpazdziora, katello-bugs, lgao, mizdebsk, mmccune, msuchy, myarboro, pcheung, rhq-maint, sclewis, soa-p-jira, theute, tkirby, weli
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-12 13:49:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 910363    
Bug Blocks:    

Description Jan Lieskovsky 2013-02-12 13:17:54 UTC 
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching:
[1] https://issues.apache.org/jira/browse/HTTPCLIENT-1255

which still allowed certain type of certificates checks to pass, even if they shouldn't.

Relevant upstream patches:
[2] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213
    (against 4.2.x branch)
[3] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217
    (against trunk)

References:
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268
Comment 1 Jan Lieskovsky 2013-02-12 13:31:01 UTC 
CVE Request:
  http://www.openwall.com/lists/oss-security/2013/02/12/1
Comment 2 Jan Lieskovsky 2013-02-12 13:32:03 UTC 
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 4 Jan Lieskovsky 2013-02-12 13:36:27 UTC 
Created jakarta-commons-httpclient tracking bugs for this issue

Affects: fedora-all [bug 910363]
Comment 5 Jan Lieskovsky 2013-02-12 13:49:41 UTC 
Taking back. This is not a security issue. We have previously investigated it with the following conclusion:

> /* Should HTTPCLIENT-1255 one be also classified as (another) CVE id? */

It is my understanding that this bug will cause valid certificates to be rejected, but not for invalid certificates to be accepted. Therefore I do not think it qualifies for a CVE ID.