Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Upstream bug report: [1] https://issues.apache.org/jira/browse/AXIS2C-1619 References: [2] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf [3] http://www.openwall.com/lists/oss-security/2013/01/11/4 [4] http://mail-archives.apache.org/mod_mbox/axis-c-dev/201301.mbox/browser [5] http://www.openwall.com/lists/oss-security/2013/01/11/8
This issue affects the version of the axis2c package, as shipped with Fedora release of 17. Please schedule an update (once there is final upstream patch available).
Created axis2c tracking bugs for this issue Affects: fedora-17 [bug 894373]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.