Bug 873317 - (CVE-2012-5783) CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check against X.509 certificate name
CVE-2012-5783 jakarta-commons-httpclient: missing connection hostname check a...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121016,repor...
: Reopened, Security
Depends On: 873319 887662 887663 887664 887665 887666 887667 887668 887669 887670 887671 887672 953308 1053968 1053969 1053970 1053971 1053972 1053973 1053974 1053975 1053976 1053977 1054567 1054568
Blocks: 873321 953709 956239 980652 1054573
  Show dependency treegraph
 
Reported: 2012-11-05 09:37 EST by Jan Lieskovsky
Modified: 2015-11-24 10:21 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-27 13:48:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBPAPP-10677 Major Resolved CVE-2012-5783 - commons-httpclient fix (EAP 5) 2016-08-29 10:40 EDT

  None (edit)
Description Jan Lieskovsky 2012-11-05 09:37:59 EST
Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate.

References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
Comment 1 Jan Lieskovsky 2012-11-05 09:40:58 EST
Created jakarta-commons-httpclient tracking bugs for this issue

Affects: fedora-all [bug 873319]
Comment 3 Jan Lieskovsky 2012-11-15 11:23:58 EST
Upstream ticket for 4.x:
[4] https://issues.apache.org/jira/browse/httpclient-613

and relevant patch for 4.x:
[5] http://svn.apache.org/viewvc?view=revision&revision=483925
Comment 9 Jan Lieskovsky 2012-11-15 12:33:37 EST
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Red Hat Enterprise Linux 5 and 6.
Comment 28 Fedora Update System 2013-02-01 11:27:09 EST
jakarta-commons-httpclient-3.1-12.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 29 Fedora Update System 2013-02-01 11:45:28 EST
jakarta-commons-httpclient-3.1-12.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 30 Fedora Update System 2013-02-01 11:49:43 EST
jakarta-commons-httpclient-3.1-12.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 31 errata-xmlrpc 2013-02-19 17:21:43 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:0270 https://rhn.redhat.com/errata/RHSA-2013-0270.html
Comment 35 errata-xmlrpc 2013-03-25 13:04:44 EDT
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.2.0

Via RHSA-2013:0679 https://rhn.redhat.com/errata/RHSA-2013-0679.html
Comment 36 errata-xmlrpc 2013-03-25 13:16:28 EDT
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5
  JBEWP 5 for RHEL 6

Via RHSA-2013:0682 https://rhn.redhat.com/errata/RHSA-2013-0682.html
Comment 37 errata-xmlrpc 2013-03-25 13:16:35 EDT
This issue has been addressed in following products:

  JBoss Enterprise Web Platform 5.2.0

Via RHSA-2013:0681 https://rhn.redhat.com/errata/RHSA-2013-0681.html
Comment 38 errata-xmlrpc 2013-03-25 13:17:12 EDT
This issue has been addressed in following products:

  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 6

Via RHSA-2013:0680 https://rhn.redhat.com/errata/RHSA-2013-0680.html
Comment 39 errata-xmlrpc 2013-04-22 17:27:20 EDT
This issue has been addressed in following products:

  JBoss Web Framework Kit 2.2.0

Via RHSA-2013:0763 https://rhn.redhat.com/errata/RHSA-2013-0763.html
Comment 40 errata-xmlrpc 2013-07-01 11:14:54 EDT
This issue has been addressed in following products:

  Red Hat JBoss BRMS 5.3.1

Via RHSA-2013:1006 https://rhn.redhat.com/errata/RHSA-2013-1006.html
Comment 41 errata-xmlrpc 2013-08-08 13:08:21 EDT
This issue has been addressed in following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2013:1147 https://rhn.redhat.com/errata/RHSA-2013-1147.html
Comment 42 errata-xmlrpc 2013-12-17 13:37:50 EST
This issue has been addressed in following products:

  Red Hat JBoss Operations Network 3.2.0

Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html
Comment 48 errata-xmlrpc 2014-02-27 13:33:49 EST
This issue has been addressed in following products:

  RHEV Manager version 3.3

Via RHSA-2014:0224 https://rhn.redhat.com/errata/RHSA-2014-0224.html
Comment 50 Tomas Hoger 2014-08-25 08:43:32 EDT
Multiple problems were discovered in the fix for this issue, which got separate CVE ids assigned and are tracked via separate bug reports - CVE-2012-6153 (bug 1129916) and CVE-2014-3577 (bug 1129074).

Note You need to log in before you can comment on or make changes to this bug.