It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.
Acknowledgements: This issue was discovered by Arun Babu Neelicattu of Red Hat Product Security.
Statement: Red Hat JBoss SOA Platform 4 is now in Phase 3, Extended Life Support, of its life cycle. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/
Created not-yet-commons-ssl tracking bugs for this issue: Affects: fedora-all [bug 1132747]
Upstream Commit: http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml
This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2015:1888 https://rhn.redhat.com/errata/RHSA-2015-1888.html