Bug 1709379 (CVE-2018-20200) - CVE-2018-20200 okhttp: certificate pinning bypass
Summary: CVE-2018-20200 okhttp: certificate pinning bypass
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2018-20200
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1709380
Blocks: 1709384
TreeView+ depends on / blocked
 
Reported: 2019-05-13 13:35 UTC by msiddiqu
Modified: 2019-12-11 01:24 UTC (History)
42 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-12-11 01:24:01 UTC


Attachments (Terms of Use)

Description msiddiqu 2019-05-13 13:35:19 UTC
CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application.

Upstream issue:

https://github.com/square/okhttp/issues/4967

References:

https://cxsecurity.com/issue/WLB-2018120252 
https://github.com/square/okhttp/commits/master 
https://github.com/square/okhttp/releases 
https://square.github.io/okhttp/3.x/okhttp/

Comment 1 msiddiqu 2019-05-13 13:35:35 UTC
Created okhttp tracking bugs for this issue:

Affects: fedora-all [bug 1709380]

Comment 3 Sam Fowler 2019-09-19 05:18:49 UTC
Statement:

OkHttp is used by OpenShift Container Platform in the Aggregated Logging stack. This issue is not considered a vulnerability for OpenShift Container Platform as the prerequisite for exploitation is the ability to inject code into the application.

Comment 5 Product Security DevOps Team 2019-12-11 01:24:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-20200


Note You need to log in before you can comment on or make changes to this bug.