Bug 873317 (CVE-2012-5783) - CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
Summary: CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5783
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 873319 887662 887663 887664 887665 887666 887667 887668 887669 887670 887671 887672 953308 1053968 1053969 1053970 1053971 1053972 1053973 1053974 1053975 1053976 1053977 1054567 1054568
Blocks: 873321 953709 956239 980652 1054573
TreeView+ depends on / blocked
 
Reported: 2012-11-05 14:37 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:57 UTC (History)
14 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Clone Of:
Environment:
Last Closed: 2014-02-27 18:48:51 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10677 Major Resolved CVE-2012-5783 - commons-httpclient fix (EAP 5) 2019-02-21 06:32:00 UTC
Red Hat Product Errata RHSA-2013:0270 normal SHIPPED_LIVE Moderate: jakarta-commons-httpclient security update 2013-02-20 03:20:31 UTC
Red Hat Product Errata RHSA-2013:0679 normal SHIPPED_LIVE Moderate: jakarta-commons-httpclient security update 2013-03-25 21:04:22 UTC
Red Hat Product Errata RHSA-2013:0680 normal SHIPPED_LIVE Moderate: jakarta-commons-httpclient security update 2013-03-25 21:14:51 UTC
Red Hat Product Errata RHSA-2013:0681 normal SHIPPED_LIVE Moderate: jakarta-commons-httpclient security update 2013-03-25 21:14:47 UTC
Red Hat Product Errata RHSA-2013:0682 normal SHIPPED_LIVE Moderate: jakarta-commons-httpclient security update 2013-03-25 21:14:40 UTC
Red Hat Product Errata RHSA-2013:0763 normal SHIPPED_LIVE Moderate: JBoss Web Framework Kit 2.2.0 update 2013-04-23 01:25:28 UTC
Red Hat Product Errata RHSA-2013:1006 normal SHIPPED_LIVE Important: Red Hat JBoss BRMS 5.3.1 update 2013-07-01 19:14:03 UTC
Red Hat Product Errata RHSA-2013:1147 normal SHIPPED_LIVE Moderate: Red Hat JBoss SOA Platform 5.3.1 update 2013-08-08 21:07:08 UTC
Red Hat Product Errata RHSA-2013:1853 normal SHIPPED_LIVE Moderate: Red Hat JBoss Operations Network 3.2.0 update 2013-12-17 23:36:29 UTC
Red Hat Product Errata RHSA-2014:0224 normal SHIPPED_LIVE Moderate: redhat-support-plugin-rhev security update 2014-02-27 23:33:22 UTC
Red Hat Product Errata RHSA-2017:0868 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse/A-MQ 6.3 R2 security and bug fix update 2017-04-04 01:02:28 UTC

Description Jan Lieskovsky 2012-11-05 14:37:59 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate.

References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml

Comment 1 Jan Lieskovsky 2012-11-05 14:40:58 UTC
Created jakarta-commons-httpclient tracking bugs for this issue

Affects: fedora-all [bug 873319]

Comment 3 Jan Lieskovsky 2012-11-15 16:23:58 UTC
Upstream ticket for 4.x:
[4] https://issues.apache.org/jira/browse/httpclient-613

and relevant patch for 4.x:
[5] http://svn.apache.org/viewvc?view=revision&revision=483925

Comment 9 Jan Lieskovsky 2012-11-15 17:33:37 UTC
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Red Hat Enterprise Linux 5 and 6.

Comment 28 Fedora Update System 2013-02-01 16:27:09 UTC
jakarta-commons-httpclient-3.1-12.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 29 Fedora Update System 2013-02-01 16:45:28 UTC
jakarta-commons-httpclient-3.1-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 30 Fedora Update System 2013-02-01 16:49:43 UTC
jakarta-commons-httpclient-3.1-12.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 31 errata-xmlrpc 2013-02-19 22:21:43 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0270 https://rhn.redhat.com/errata/RHSA-2013-0270.html

Comment 35 errata-xmlrpc 2013-03-25 17:04:44 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0679 https://rhn.redhat.com/errata/RHSA-2013-0679.html

Comment 36 errata-xmlrpc 2013-03-25 17:16:28 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0682 https://rhn.redhat.com/errata/RHSA-2013-0682.html

Comment 37 errata-xmlrpc 2013-03-25 17:16:35 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0681 https://rhn.redhat.com/errata/RHSA-2013-0681.html

Comment 38 errata-xmlrpc 2013-03-25 17:17:12 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0680 https://rhn.redhat.com/errata/RHSA-2013-0680.html

Comment 39 errata-xmlrpc 2013-04-22 21:27:20 UTC
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.2.0

Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html

Comment 40 errata-xmlrpc 2013-07-01 15:14:54 UTC
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html

Comment 41 errata-xmlrpc 2013-08-08 17:08:21 UTC
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html

Comment 42 errata-xmlrpc 2013-12-17 18:37:50 UTC
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html

Comment 48 errata-xmlrpc 2014-02-27 18:33:49 UTC
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0224 https://rhn.redhat.com/errata/RHSA-2014-0224.html

Comment 50 Tomas Hoger 2014-08-25 12:43:32 UTC
Multiple problems were discovered in the fix for this issue, which got separate CVE ids assigned and are tracked via separate bug reports - CVE-2012-6153 (bug 1129916) and CVE-2014-3577 (bug 1129074).

Comment 53 errata-xmlrpc 2017-04-03 21:02:43 UTC
This issue has been addressed in the following products:



Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868

Comment 54 errata-xmlrpc 2018-07-02 15:51:28 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse

Via RHSA-2017:0868 https://access.redhat.com/errata/RHSA-2017:0868


Note You need to log in before you can comment on or make changes to this bug.