1261538 – (CVE-2015-5262) CVE-2015-5262 jakarta-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout

Bug 1261538 (CVE-2015-5262) - CVE-2015-5262 jakarta-commons-httpclient, httpcomponents-core: missing HTTPS connection timeout

Summary: CVE-2015-5262 jakarta-commons-httpclient, httpcomponents-core: missing HTTPS ...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	CVE-2015-5262
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1259892 1262207 1262210 1262211 1262214 1666895 1692289
Blocks:	1260680 1679418
TreeView+	depends on / blocked

Reported:	2015-09-09 15:03 UTC by Florian Weimer
Modified:	2021-02-17 04:56 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-25 06:21:44 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Apache JIRA	HTTPCLIENT-1478	0	None	None	None	Never

Internal Links: 1266356

Description Florian Weimer 2015-09-09 15:03:59 UTC

It was discovered that Apache HttpClient did not apply a configured
connection or read timeout during the initial handshake of an HTTPS
connection.  As a result, HTTPS connection could get stuck, causing
a denial of service if multiple such connections accumulate.

Comment 1 Florian Weimer 2015-09-09 15:06:25 UTC

Upstream patch:

http://svn.apache.org/viewvc/httpcomponents/httpclient/branches/4.3.x/httpclient/src/main/java/org/apache/http/conn/ssl/SSLConnectionSocketFactory.java?r1=1560975&r2=1626784

Originally reported in bug 1259892

Comment 3 Florian Weimer 2015-09-09 15:09:13 UTC

I could not reproduce this issue with HttpClient 4.2.x, mostly due to lack of relevant APIs.  According to the upstream report, it was fixed in version 4.3.6 of the 4.3.x branch.

Comment 4 Martin Prpič 2015-09-10 07:20:40 UTC

External References:

https://issues.apache.org/jira/browse/HTTPCLIENT-1478

Comment 7 Florian Weimer 2015-09-11 07:41:30 UTC

Created jakarta-commons-httpclient tracking bugs for this issue:

Affects: fedora-all [bug 1262207]

Comment 10 Fedora Update System 2015-10-01 16:06:24 UTC

jakarta-commons-httpclient-3.1-23.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2015-10-01 18:51:17 UTC

jakarta-commons-httpclient-3.1-23.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2015-10-01 20:23:11 UTC

jakarta-commons-httpclient-3.1-20.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.