Hide Forgot
It was found that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.
Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Upstream Commit: HttpClient/4.2.x Branch http://svn.apache.org/viewvc?view=revision&revision=1411705
Affects: org.apache.httpcomponents:httpclient <= 4.2.2 commons-httpclient:commons-httpclient <= 3.1
Statement: Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1165533 This issue affects the versions of HttpComponents Client and ModeShape Client as shipped with Red Hat JBoss Data Virtualization 6. However, this flaw is not known to be exploitable under any supported scenario in Red Hat JBoss Data Virtualization 6. A future update may address this issue. This issue did not affect the jakarta-commons-httpclient packages as shipped with Red Hat Enterprise Linux 5, 6, and 7, and httpcomponents-client packages as shipped with Red Hat Enterprise Linux 7. Red Hat JBoss Enterprise Application Platform 4, Red Hat JBoss SOA Platform 4, and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/ Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/
Created jakarta-commons-httpclient tracking bugs for this issue: Affects: fedora-all [bug 1130941]
The fix for the CVE-2014-3577 replaces the fix provided for issue CVE-2012-6153. Both CVE-2012-6153 and CVE-2012-5783 are considered to be resolved by a version of httpclient fixing CVE-2014-3577.
IssueDescription: It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
This issue has been addressed in following products: Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS Via RHSA-2014:1082 https://rhn.redhat.com/errata/RHSA-2014-1082.html
The original issue CVE-2012-5783 was tracked via bug 873317. That fix added support for checking of the connection host name against X.509 certificate host name, which was not performed before at all. The check was implemented using the code that used string representation of the subject field, splitting it on commas, and checking each part to see if it contains "CN=" substring. The fix applied upstream in version 4.2.3 that got CVE-2012-6153 assigned changed the code to only extract host name if subject attribute started with "CN=". The fix prevented attacks using "CN=" string used as part of other subject attributes, such as organization ("O") or organizational unit ("OU"). I.e. it prevented certificate with the following subject to be accepted as valid for host "bank.com": OU=CN=bank.com,CN=evil.com Even this improved fix was found to be incomplete, see CVE-2014-3577 (bug 1129074).
(In reply to errata-xmlrpc from comment #19) > This issue has been addressed in following products: > > Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 > Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS > > Via RHSA-2014:1082 https://rhn.redhat.com/errata/RHSA-2014-1082.html This erratum updated the thermostat1-httpcomponents-client package. It incorrectly listed the package as affected by both CVE-2012-6153 and CVE-2014-3577, while it already contained the fix for CVE-2012-6153 and was only affected by CVE-2014-3577.
This issue has been addressed in following products: Red Hat Developer Toolset 2.1 for RHEL 6 Via RHSA-2014:1098 https://rhn.redhat.com/errata/RHSA-2014-1098.html
jakarta-commons-httpclient-3.1-15.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
jakarta-commons-httpclient-3.1-15.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue did not affect the jakarta-commons-httpclient packages shipped with Red Hat Enterprise Linux 5 and 6. Updated packages to address CVE-2012-5783 released via RHSA-2013:0270 corrected that issue without introducing CVE-2012-6153. The jakarta-commons-httpclient and httpcomponents-client packages shipped with Red Hat Enterprise Linux 7 were also not affected by this issue. All mentioned packages are affected by CVE-2014-3577.
This issue has been addressed in following products: JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 7 Via RHSA-2014:1162 https://rhn.redhat.com/errata/RHSA-2014-1162.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 6.3.0 Via RHSA-2014:1163 https://rhn.redhat.com/errata/RHSA-2014-1163.html
This issue has been addressed in the following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2014:1322 https://rhn.redhat.com/errata/RHSA-2014-1322.html
This issue has been addressed in the following products: JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 4 Via RHSA-2014:1320 https://rhn.redhat.com/errata/RHSA-2014-1320.html
This issue has been addressed in the following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:1323 https://rhn.redhat.com/errata/RHSA-2014-1323.html
This issue has been addressed in the following products: JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 6 Via RHSA-2014:1321 https://rhn.redhat.com/errata/RHSA-2014-1321.html
This issue has been addressed in the following products: JBoss Enterprise Application Platform 5.2.0 Via RHSA-2014:1836 https://rhn.redhat.com/errata/RHSA-2014-1836.html
This issue has been addressed in the following products: JBoss Enterprise Web Platform 5.2.0 Via RHSA-2014:1835 https://rhn.redhat.com/errata/RHSA-2014-1835.html
This issue has been addressed in the following products: JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 Via RHSA-2014:1834 https://rhn.redhat.com/errata/RHSA-2014-1834.html
This issue has been addressed in the following products: JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 5 JBEWP 5 for RHEL 4 Via RHSA-2014:1833 https://rhn.redhat.com/errata/RHSA-2014-1833.html
This issue has been addressed in the following products: JBoss BPM Suite 6.0.3 Via RHSA-2014:1892 https://rhn.redhat.com/errata/RHSA-2014-1892.html
This issue has been addressed in the following products: JBoss BRMS 6.0.3 Via RHSA-2014:1891 https://rhn.redhat.com/errata/RHSA-2014-1891.html
This issue has been addressed in the following products: JBoss Operations Network 3.3.0 Via RHSA-2014:1904 https://rhn.redhat.com/errata/RHSA-2014-1904.html
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.3.2 Via RHSA-2014:2020 https://rhn.redhat.com/errata/RHSA-2014-2020.html
This issue has been addressed in the following products: JBEAP 6.3.z for RHEL 6 JBEAP 6.3.z for RHEL 5 JBEAP 6.3.z for RHEL 7 Via RHSA-2014:2019 https://rhn.redhat.com/errata/RHSA-2014-2019.html
This issue has been addressed in the following products: JBoss Web Framework Kit 2.7.0 Via RHSA-2015:0125 https://rhn.redhat.com/errata/RHSA-2015-0125.html
This issue has been addressed in the following products: RHEV Manager version 3.5 Via RHSA-2015:0158 https://rhn.redhat.com/errata/RHSA-2015-0158.html
This issue has been addressed in the following products: Red Hat JBoss BRMS 6.0.3 Via RHSA-2015:0235 https://rhn.redhat.com/errata/RHSA-2015-0235.html
This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2015:0234 https://rhn.redhat.com/errata/RHSA-2015-0234.html
This issue has been addressed in the following products: JBoss Data Virtualization 6.1.0 Via RHSA-2015:0675 https://rhn.redhat.com/errata/RHSA-2015-0675.html
This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2015:0720 https://rhn.redhat.com/errata/RHSA-2015-0720.html
This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.0.0 Via RHSA-2015:0765 https://rhn.redhat.com/errata/RHSA-2015-0765.html
This issue has been addressed in the following products: JBoss BPM Suite 6.1.0 Via RHSA-2015:0851 https://rhn.redhat.com/errata/RHSA-2015-0851.html
This issue has been addressed in the following products: JBoss BRMS 6.1.0 Via RHSA-2015:0850 https://rhn.redhat.com/errata/RHSA-2015-0850.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html