Red Hat Bugzilla – Bug 1093273
CVE-2014-0363 smack: incorrect X.509 certificate validation
Last modified: 2018-05-10 14:11:57 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2014-0363 to the following vulnerability: Name: CVE-2014-0363 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0363 Assigned: 20131205 Reference: http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released Reference: http://issues.igniterealtime.org/browse/SMACK-410 Reference: CERT-VN:VU#489228 Reference: http://www.kb.cert.org/vuls/id/489228 The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. The man-in-the-middle attacker requires a certificate that is valid for any domain name. Upstream patch: http://fisheye.igniterealtime.org/changelog/smackgit?cs=93030c218c62cf0a0a8ea48746db1452fa34033c From code inspection, this issue affects the 3.2.2 version in Fedora (the CERT advisory mentions version 3.4.1 and possibly earlier versions).
Created smack tracking bugs for this issue: Affects: fedora-all [bug 1093274]
This issue has been addressed in following products: JBoss BPM Suite 6.0.2 Via RHSA-2014:0819 https://rhn.redhat.com/errata/RHSA-2014-0819.html
This issue has been addressed in following products: JBoss BRMS 6.0.2 Via RHSA-2014:0818 https://rhn.redhat.com/errata/RHSA-2014-0818.html
smack-3.2.2-8.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
smack-3.2.2-6.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat JBoss Fuse 6.2.0 Via RHSA-2015:1176 https://rhn.redhat.com/errata/RHSA-2015-1176.html