Red Hat Bugzilla – Bug 1129935
CVE-2014-3596 axis: SSL hostname verification bypass, incomplete CVE-2012-5784 fix
Last modified: 2018-11-05 17:39:07 EST
It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.
Statement: Note that Axis 1 is EOL upstream, and the incomplete patch for CVE-2012-5784 was never merged upstream. It was, however, shipped by various vendors, including Debian and Red Hat. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1164433 Acknowledgements: This issue was discovered by David Jorm and Arun Neelicattu of Red Hat Product Security.
Upstream bug: https://issues.apache.org/jira/browse/AXIS-2905 Proposed upstream patch: https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch
The original issue CVE-2012-5784 was tracked via bug 873252. This problem is similar to Apache HttpComponents Client / Apache/Jakarta Commons HttpClient issue CVE-2014-3577, see bug 1129074 comment 23 for technical details.
IssueDescription: It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2014:1193 https://rhn.redhat.com/errata/RHSA-2014-1193.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1010 https://rhn.redhat.com/errata/RHSA-2015-1010.html