Red Hat Bugzilla – Bug 910358
jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
Last modified: 2014-03-03 10:56:44 EST
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching:
which still allowed certain type of certificates checks to pass, even if they shouldn't.
Relevant upstream patches:
(against 4.2.x branch)
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Created jakarta-commons-httpclient tracking bugs for this issue
Affects: fedora-all [bug 910363]
Taking back. This is not a security issue. We have previously investigated it with the following conclusion:
> /* Should HTTPCLIENT-1255 one be also classified as (another) CVE id? */
It is my understanding that this bug will cause valid certificates to be rejected, but not for invalid certificates to be accepted. Therefore I do not think it qualifies for a CVE ID.