Bug 910358 - jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorrect (a different issue than CVE-2012-5783)
jakarta-commons-httpclient: Wildcard matching in SSL hostname verifier incorr...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 910363
  Show dependency treegraph
Reported: 2013-02-12 08:17 EST by Jan Lieskovsky
Modified: 2014-03-03 10:56 EST (History)
25 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-12 08:49:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-02-12 08:17:54 EST
Originally, Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5783 to the following vulnerability:

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Later it was found, that the SSL hostname verifier implementation (CVE-2012-5783 fix) contained a bug in wildcard matching:
[1] https://issues.apache.org/jira/browse/HTTPCLIENT-1255

which still allowed certain type of certificates checks to pass, even if they shouldn't.

Relevant upstream patches:
[2] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406213
    (against 4.2.x branch)
[3] https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1406217
    (against trunk)

[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700268
Comment 1 Jan Lieskovsky 2013-02-12 08:31:01 EST
CVE Request:
Comment 2 Jan Lieskovsky 2013-02-12 08:32:03 EST
This issue affects the versions of the jakarta-commons-httpclient package, as shipped with Fedora release of 17 and 18. Please schedule an update.
Comment 4 Jan Lieskovsky 2013-02-12 08:36:27 EST
Created jakarta-commons-httpclient tracking bugs for this issue

Affects: fedora-all [bug 910363]
Comment 5 Jan Lieskovsky 2013-02-12 08:49:41 EST
Taking back. This is not a security issue. We have previously investigated it with the following conclusion:

> /* Should HTTPCLIENT-1255 one be also classified as (another) CVE id? */

It is my understanding that this bug will cause valid certificates to be rejected, but not for invalid certificates to be accepted. Therefore I do not think it qualifies for a CVE ID.

Note You need to log in before you can comment on or make changes to this bug.