Bug 1129916 (CVE-2012-6153) - CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix
Summary: CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verific...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-6153
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20140814,repo...
Depends On: 1138482 1129123 1129124 1129125 1129126 1129127 1129128 1129129 1129130 1129131 1129132 1129133 1129134 1129135 1129136 1129137 1129138 1129139 1129140 1129144 1129145 1129146 1129147 1129148 1129149 1129150 1129151 1129152 1129154 1129155 1129156 1129157 1129158 1129159 1129160 1129161 1129163 1129164 1129167 1129168 1129170 1129172 1129173 1129174 1129175 1129176 1129177 1129178 1129179 1129180 1129182 1129183 1129209 1130945 1130946 1130955 1130957 1130958 1131288 1143783 1143784 1143833 1155308 1155309 1155310 1155311 1155312 1155313 1155314 1155315 1155316 1155317 1155318 1155319 1155320 1155321 1155322 1155323 1155324 1155325 1155326 1156068 1156076 1156077 1156078 1156080 1160700 1160701 1161463 1167323 1168613 1537778
Blocks: 1129378 1129383 1130001 1130924 1130962 1131741 1139455 1151585 1155883 1155884 1159092 1181883 1182400 1182419 1183452 1187398 1200191 1210482 1244362 1244363
TreeView+ depends on / blocked
 
Reported: 2014-08-14 00:58 UTC by David Jorm
Modified: 2019-06-08 20:09 UTC (History)
117 users (show)

Fixed In Version: httpcomponents-client 4.2.3
Doc Type: Bug Fix
Doc Text:
It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
Clone Of:
Environment:
Last Closed: 2016-03-11 20:40:58 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1098 normal SHIPPED_LIVE Important: devtoolset-2-httpcomponents-client security update 2014-08-26 20:32:35 UTC
Red Hat Product Errata RHSA-2014:1162 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 security update 2014-09-04 20:26:13 UTC
Red Hat Product Errata RHSA-2014:1163 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.0 security update 2014-09-04 21:16:45 UTC
Red Hat Product Errata RHSA-2014:1320 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-09-30 00:11:40 UTC
Red Hat Product Errata RHSA-2014:1321 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-09-30 00:22:16 UTC
Red Hat Product Errata RHSA-2014:1322 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-09-30 00:11:35 UTC
Red Hat Product Errata RHSA-2014:1323 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-09-30 00:22:10 UTC
Red Hat Product Errata RHSA-2014:1833 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-11-11 00:26:12 UTC
Red Hat Product Errata RHSA-2014:1834 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-11-11 00:25:56 UTC
Red Hat Product Errata RHSA-2014:1835 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Web Platform 5.2.0 security update 2014-11-11 00:25:52 UTC
Red Hat Product Errata RHSA-2014:1836 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 5.2.0 security update 2014-11-11 00:25:46 UTC
Red Hat Product Errata RHSA-2014:1891 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2014-11-25 01:46:15 UTC
Red Hat Product Errata RHSA-2014:1892 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 update 2014-11-25 01:46:11 UTC
Red Hat Product Errata RHSA-2014:1904 normal SHIPPED_LIVE Important: Red Hat JBoss Operations Network 3.3.0 update 2014-11-25 21:48:32 UTC
Red Hat Product Errata RHSA-2014:2019 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update 2014-12-18 22:58:44 UTC
Red Hat Product Errata RHSA-2014:2020 normal SHIPPED_LIVE Important: Red Hat JBoss Enterprise Application Platform 6.3.2 security update 2014-12-18 22:48:10 UTC
Red Hat Product Errata RHSA-2015:0125 normal SHIPPED_LIVE Important: Red Hat JBoss Web Framework Kit 2.7.0 update 2015-02-04 22:41:57 UTC
Red Hat Product Errata RHSA-2015:0158 normal SHIPPED_LIVE Important: Red Hat Enterprise Virtualization Manager 3.5.0 2015-02-11 22:38:50 UTC
Red Hat Product Errata RHSA-2015:0234 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.0.3 security update 2015-02-18 03:27:47 UTC
Red Hat Product Errata RHSA-2015:0235 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.0.3 security update 2015-02-18 03:27:36 UTC
Red Hat Product Errata RHSA-2015:0675 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.1.0 update 2015-03-11 20:51:21 UTC
Red Hat Product Errata RHSA-2015:0720 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse Service Works 6.0.0 security update 2015-03-25 01:05:53 UTC
Red Hat Product Errata RHSA-2015:0765 normal SHIPPED_LIVE Important: Red Hat JBoss Data Virtualization 6.0.0 security update 2015-03-31 21:00:43 UTC
Red Hat Product Errata RHSA-2015:0850 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 6.1.0 update 2015-04-16 20:02:45 UTC
Red Hat Product Errata RHSA-2015:0851 normal SHIPPED_LIVE Important: Red Hat JBoss BPM Suite 6.1.0 update 2015-04-16 20:02:37 UTC
Red Hat Product Errata RHSA-2015:1009 normal SHIPPED_LIVE Important: Red Hat JBoss Portal 6.2.0 update 2015-05-14 19:14:47 UTC
Red Hat Product Errata RHSA-2015:1888 normal SHIPPED_LIVE Important: Red Hat JBoss SOA Platform 5.3.1 security update 2015-10-12 19:27:33 UTC
Red Hat Bugzilla 1129074 None NEW CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix 2019-02-21 06:44:24 UTC
Red Hat Knowledge Base (Solution) 1165533 None None None Never

Internal Links: 1129074

Description David Jorm 2014-08-14 00:58:41 UTC
It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.

Comment 1 David Jorm 2014-08-14 01:13:55 UTC
Acknowledgements:

This issue was discovered by Florian Weimer of Red Hat Product Security.

Comment 2 Arun Babu Neelicattu 2014-08-14 07:42:17 UTC
Upstream Commit:

HttpClient/4.2.x Branch
http://svn.apache.org/viewvc?view=revision&revision=1411705

Comment 4 Arun Babu Neelicattu 2014-08-14 07:53:41 UTC
Affects:

org.apache.httpcomponents:httpclient <= 4.2.2
commons-httpclient:commons-httpclient <= 3.1

Comment 5 Arun Babu Neelicattu 2014-08-14 08:29:44 UTC
Statement:

Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1165533

This issue affects the versions of HttpComponents Client and ModeShape Client as shipped with Red Hat JBoss Data Virtualization 6. However, this flaw is not known to be exploitable under any supported scenario in Red Hat JBoss Data Virtualization 6. A future update may address this issue.

This issue did not affect the jakarta-commons-httpclient packages as shipped with Red Hat Enterprise Linux 5, 6, and 7, and httpcomponents-client packages as shipped with Red Hat Enterprise Linux 7.

Red Hat JBoss Enterprise Application Platform 4,  Red Hat JBoss SOA Platform 4, and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

Comment 14 Arun Babu Neelicattu 2014-08-18 09:37:42 UTC
Created jakarta-commons-httpclient tracking bugs for this issue:

Affects: fedora-all [bug 1130941]

Comment 15 Arun Babu Neelicattu 2014-08-18 09:40:56 UTC
The fix for the CVE-2014-3577 replaces the fix provided for issue CVE-2012-6153. Both CVE-2012-6153 and CVE-2012-5783 are considered to be resolved by a version of httpclient fixing CVE-2014-3577.

Comment 18 Martin Prpič 2014-08-20 08:13:54 UTC
IssueDescription:

It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.

Comment 19 errata-xmlrpc 2014-08-20 10:41:59 UTC
This issue has been addressed in following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS

Via RHSA-2014:1082 https://rhn.redhat.com/errata/RHSA-2014-1082.html

Comment 20 Tomas Hoger 2014-08-25 13:13:58 UTC
The original issue CVE-2012-5783 was tracked via bug 873317.  That fix added support for checking of the connection host name against X.509 certificate host name, which was not performed before at all.  The check was implemented using the code that used string representation of the subject field, splitting it on commas, and checking each part to see if it contains "CN=" substring.

The fix applied upstream in version 4.2.3 that got CVE-2012-6153 assigned changed the code to only extract host name if subject attribute started with "CN=".  The fix prevented attacks using "CN=" string used as part of other subject attributes, such as organization ("O") or organizational unit ("OU").  I.e. it prevented certificate with the following subject to be accepted as valid for host "bank.com":

  OU=CN=bank.com,CN=evil.com

Even this improved fix was found to be incomplete, see CVE-2014-3577 (bug 1129074).

Comment 21 Tomas Hoger 2014-08-25 13:40:11 UTC
(In reply to errata-xmlrpc from comment #19)
> This issue has been addressed in following products:
> 
>   Red Hat Software Collections 1 for Red Hat Enterprise Linux 6
>   Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
> 
> Via RHSA-2014:1082 https://rhn.redhat.com/errata/RHSA-2014-1082.html

This erratum updated the thermostat1-httpcomponents-client package.  It incorrectly listed the package as affected by both CVE-2012-6153 and CVE-2014-3577, while it already contained the fix for CVE-2012-6153 and was only affected by CVE-2014-3577.

Comment 24 errata-xmlrpc 2014-08-26 16:33:04 UTC
This issue has been addressed in following products:

  Red Hat Developer Toolset 2.1 for RHEL 6

Via RHSA-2014:1098 https://rhn.redhat.com/errata/RHSA-2014-1098.html

Comment 25 Fedora Update System 2014-08-27 01:28:57 UTC
jakarta-commons-httpclient-3.1-15.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 26 Fedora Update System 2014-08-27 01:31:45 UTC
jakarta-commons-httpclient-3.1-15.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 27 Tomas Hoger 2014-08-27 16:27:38 UTC
This issue did not affect the jakarta-commons-httpclient packages shipped with Red Hat Enterprise Linux 5 and 6.  Updated packages to address CVE-2012-5783 released via RHSA-2013:0270 corrected that issue without introducing CVE-2012-6153.

The jakarta-commons-httpclient and httpcomponents-client packages shipped with Red Hat Enterprise Linux 7 were also not affected by this issue.

All mentioned packages are affected by CVE-2014-3577.

Comment 28 errata-xmlrpc 2014-09-04 16:26:54 UTC
This issue has been addressed in following products:

  JBEAP 6.3.z for RHEL 5
  JBEAP 6.3.z for RHEL 6
  JBEAP 6.3.z for RHEL 7

Via RHSA-2014:1162 https://rhn.redhat.com/errata/RHSA-2014-1162.html

Comment 29 errata-xmlrpc 2014-09-04 17:16:59 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 6.3.0

Via RHSA-2014:1163 https://rhn.redhat.com/errata/RHSA-2014-1163.html

Comment 32 errata-xmlrpc 2014-09-29 20:12:51 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:1322 https://rhn.redhat.com/errata/RHSA-2014-1322.html

Comment 33 errata-xmlrpc 2014-09-29 20:13:42 UTC
This issue has been addressed in the following products:

  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 4

Via RHSA-2014:1320 https://rhn.redhat.com/errata/RHSA-2014-1320.html

Comment 34 errata-xmlrpc 2014-09-29 20:22:40 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:1323 https://rhn.redhat.com/errata/RHSA-2014-1323.html

Comment 35 errata-xmlrpc 2014-09-29 20:22:57 UTC
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2014:1321 https://rhn.redhat.com/errata/RHSA-2014-1321.html

Comment 40 errata-xmlrpc 2014-11-10 19:26:29 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2014:1836 https://rhn.redhat.com/errata/RHSA-2014-1836.html

Comment 41 errata-xmlrpc 2014-11-10 19:27:05 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2014:1835 https://rhn.redhat.com/errata/RHSA-2014-1835.html

Comment 42 errata-xmlrpc 2014-11-10 19:27:51 UTC
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4

Via RHSA-2014:1834 https://rhn.redhat.com/errata/RHSA-2014-1834.html

Comment 43 errata-xmlrpc 2014-11-10 19:28:07 UTC
This issue has been addressed in the following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 4

Via RHSA-2014:1833 https://rhn.redhat.com/errata/RHSA-2014-1833.html

Comment 46 errata-xmlrpc 2014-11-24 20:46:52 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.0.3

Via RHSA-2014:1892 https://rhn.redhat.com/errata/RHSA-2014-1892.html

Comment 47 errata-xmlrpc 2014-11-24 20:47:56 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.0.3

Via RHSA-2014:1891 https://rhn.redhat.com/errata/RHSA-2014-1891.html

Comment 48 errata-xmlrpc 2014-11-25 16:49:58 UTC
This issue has been addressed in the following products:

  JBoss Operations Network 3.3.0

Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html

Comment 49 errata-xmlrpc 2014-12-18 17:48:28 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.3.2

Via RHSA-2014:2020 https://rhn.redhat.com/errata/RHSA-2014-2020.html

Comment 50 errata-xmlrpc 2014-12-18 17:59:43 UTC
This issue has been addressed in the following products:

  JBEAP 6.3.z for RHEL 6
  JBEAP 6.3.z for RHEL 5
  JBEAP 6.3.z for RHEL 7

Via RHSA-2014:2019 https://rhn.redhat.com/errata/RHSA-2014-2019.html

Comment 51 errata-xmlrpc 2015-02-04 17:43:01 UTC
This issue has been addressed in the following products:

  JBoss Web Framework Kit 2.7.0

Via RHSA-2015:0125 https://rhn.redhat.com/errata/RHSA-2015-0125.html

Comment 52 errata-xmlrpc 2015-02-11 18:07:54 UTC
This issue has been addressed in the following products:

  RHEV Manager version 3.5

Via RHSA-2015:0158 https://rhn.redhat.com/errata/RHSA-2015-0158.html

Comment 53 errata-xmlrpc 2015-02-17 22:30:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.0.3

Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html

Comment 54 errata-xmlrpc 2015-02-17 22:34:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.0.3

Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html

Comment 56 errata-xmlrpc 2015-03-11 16:54:29 UTC
This issue has been addressed in the following products:

JBoss Data Virtualization 6.1.0

Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html

Comment 57 errata-xmlrpc 2015-03-24 21:07:39 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html

Comment 58 errata-xmlrpc 2015-03-31 17:02:11 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.0.0

Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html

Comment 62 errata-xmlrpc 2015-04-16 16:06:24 UTC
This issue has been addressed in the following products:

  JBoss BPM Suite 6.1.0

Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html

Comment 63 errata-xmlrpc 2015-04-16 16:11:20 UTC
This issue has been addressed in the following products:

  JBoss BRMS 6.1.0

Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html

Comment 65 errata-xmlrpc 2015-05-14 15:23:01 UTC
This issue has been addressed in the following products:

  JBoss Portal 6.2.0

Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html

Comment 66 errata-xmlrpc 2015-10-12 15:30:42 UTC
This issue has been addressed in the following products:

Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html


Note You need to log in before you can comment on or make changes to this bug.