It was discovered that the implementation used by the vtldap/ldaptive project to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack, where the attacker can spoof a valid certificate using a specially crafted subject.
Statement: Not Vulnerable. This issue only affects vtldap/ldaptive, which is not included in any supported Red Hat products.
Upstream Advisory: http://shibboleth.net/community/advisories/secadv_20140919.txt Upstream Issue: vt-ldap https://code.google.com/p/vt-middleware/issues/detail?id=226 ldaptive https://code.google.com/p/vt-middleware/issues/detail?id=227 https://code.google.com/p/vt-middleware/issues/detail?id=228 Upstream Fix: vt-ldap https://code.google.com/p/vt-middleware/source/detail?r=3046 ldaptive https://code.google.com/p/vt-middleware/source/detail?r=3052 https://code.google.com/p/vt-middleware/source/detail?r=3053
Victims Record: https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3607.yaml