ID CVE-2014-3577
Summary org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
References
Vulnerable Configurations
  • Apache Software Foundation HttpClient 4.0
    cpe:2.3:a:apache:httpclient:4.0
  • Apache Software Foundation HttpClient 4.0 Alpha 1
    cpe:2.3:a:apache:httpclient:4.0:alpha1
  • Apache Software Foundation HttpClient 4.0 Alpha 2
    cpe:2.3:a:apache:httpclient:4.0:alpha2
  • Apache Software Foundation HttpClient 4.0 Alpha 3
    cpe:2.3:a:apache:httpclient:4.0:alpha3
  • Apache Software Foundation HttpClient 4.0 Alpha 4
    cpe:2.3:a:apache:httpclient:4.0:alpha4
  • Apache Software Foundation HttpClient 4.0 Beta 1
    cpe:2.3:a:apache:httpclient:4.0:beta1
  • Apache Software Foundation HttpClient 4.0 Beta 2
    cpe:2.3:a:apache:httpclient:4.0:beta2
  • Apache Software Foundation HttpClient 4.0.1
    cpe:2.3:a:apache:httpclient:4.0.1
  • Apache Software Foundation HttpClient 4.1
    cpe:2.3:a:apache:httpclient:4.1
  • Apache Software Foundation HttpClient 4.1 Alpha 1
    cpe:2.3:a:apache:httpclient:4.1:alpha1
  • Apache Software Foundation HttpClient 4.1 Alpha 2
    cpe:2.3:a:apache:httpclient:4.1:alpha2
  • Apache Software Foundation HttpClient 4.1 Beta 1
    cpe:2.3:a:apache:httpclient:4.1:beta1
  • Apache Software Foundation HttpClient 4.1.1
    cpe:2.3:a:apache:httpclient:4.1.1
  • Apache Software Foundation HttpClient 4.1.2
    cpe:2.3:a:apache:httpclient:4.1.2
  • Apache Software Foundation HttpClient 4.2
    cpe:2.3:a:apache:httpclient:4.2
  • Apache Software Foundation HttpClient 4.2 alpha1
    cpe:2.3:a:apache:httpclient:4.2:alpha1
  • Apache Software Foundation HttpClient 4.2 beta1
    cpe:2.3:a:apache:httpclient:4.2:beta1
  • Apache Software Foundation HttpClient 4.2.1
    cpe:2.3:a:apache:httpclient:4.2.1
  • Apache Software Foundation HttpClient 4.2.2
    cpe:2.3:a:apache:httpclient:4.2.2
  • Apache Software Foundation HttpClient 4.2.3
    cpe:2.3:a:apache:httpclient:4.2.3
  • Apache Software Foundation HttpClient 4.3
    cpe:2.3:a:apache:httpclient:4.3
  • Apache Software Foundation HttpClient 4.3 alpha1
    cpe:2.3:a:apache:httpclient:4.3:alpha1
  • Apache Software Foundation HttpClient 4.3 beta1
    cpe:2.3:a:apache:httpclient:4.3:beta1
  • Apache Software Foundation HttpClient 4.3 beta2
    cpe:2.3:a:apache:httpclient:4.3:beta2
  • Apache Software Foundation HttpClient 4.3.1
    cpe:2.3:a:apache:httpclient:4.3.1
  • Apache Software Foundation HttpClient 4.3.2
    cpe:2.3:a:apache:httpclient:4.3.2
  • Apache Software Foundation HttpClient 4.3.3
    cpe:2.3:a:apache:httpclient:4.3.3
  • Apache Software Foundation HttpClient 4.3.4
    cpe:2.3:a:apache:httpclient:4.3.4
  • Apache Software Foundation HttpAsyncClient 4.0
    cpe:2.3:a:apache:httpasyncclient:4.0
  • Apache Software Foundation HttpAsyncClient 4.0 alpha1
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha1
  • Apache Software Foundation HttpAsyncClient 4.0 alpha2
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha2
  • Apache Software Foundation HttpAsyncClient 4.0 alpha3
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha3
  • Apache Software Foundation HttpAsyncClient 4.0 beta1
    cpe:2.3:a:apache:httpasyncclient:4.0:beta1
  • Apache Software Foundation HttpAsyncClient 4.0 beta2
    cpe:2.3:a:apache:httpasyncclient:4.0:beta2
  • Apache Software Foundation HttpAsyncClient 4.0 beta3
    cpe:2.3:a:apache:httpasyncclient:4.0:beta3
  • Apache Software Foundation HttpAsyncClient 4.0 beta4
    cpe:2.3:a:apache:httpasyncclient:4.0:beta4
  • Apache Software Foundation HttpAsyncClient 4.0.1
    cpe:2.3:a:apache:httpasyncclient:4.0.1
CVSS
Base: 5.8 (as of 28-06-2016 - 13:02)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1321.NASL
    description Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153) It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 78008
    published 2014-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78008
    title RHEL 4 / 5 / 6 : JBoss EAP (RHSA-2014:1321)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-410.NASL
    description Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.
    last seen 2018-04-19
    modified 2018-04-18
    plugin id 78353
    published 2014-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78353
    title Amazon Linux AMI : jakarta-commons-httpclient (ALAS-2014-410)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0158.NASL
    description Red Hat Enterprise Virtualization Manager 3.5.0 is now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat Enterprise Virtualization Manager is a visual tool for centrally managing collections of virtual servers running Red Hat Enterprise Linux and Microsoft Windows. This package also includes the Red Hat Enterprise Virtualization Manager API, a set of scriptable commands that give administrators the ability to perform queries and operations on Red Hat Enterprise Virtualization Manager. The Manager is a JBoss Application Server application that provides several interfaces through which the virtual environment can be accessed and interacted with, including an Administration Portal, a User Portal, and a Representational State Transfer (REST) Application Programming Interface (API). It was discovered that the HttpClient incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) A Cross-Site Request Forgery (CSRF) flaw was found in the oVirt REST API. A remote attacker could provide a specially crafted web page that, when visited by a user with a valid REST API session, would allow the attacker to trigger calls to the oVirt REST API. (CVE-2014-0151) It was found that the oVirt web admin interface did not include the HttpOnly flag when setting session IDs with the Set-Cookie header. This flaw could make it is easier for a remote attacker to hijack an oVirt web admin session by leveraging a cross-site scripting (XSS) vulnerability. (CVE-2014-0154) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. These updated Red Hat Enterprise Virtualization Manager packages also include numerous bug fixes and various enhancements. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Virtualization 3.5 Manager Release Notes document, linked to in the References, for information on the most significant of these changes. All Red Hat Enterprise Virtualization Manager users are advised to upgrade to these updated packages, which resolve these issues and add these enhancements.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 85712
    published 2015-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85712
    title RHEL 6 : Virtualization Manager (RHSA-2015:0158)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9581.NASL
    description Security fix for CVE-2014-3577, CVE-2012-6153 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 77399
    published 2014-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77399
    title Fedora 20 : jakarta-commons-httpclient-3.1-15.fc20 (2014-9581)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1146.NASL
    description Updated httpcomponents-client packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 77521
    published 2014-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77521
    title RHEL 7 : httpcomponents-client (RHSA-2014:1146)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-222.NASL
    description CVE-2012-5783 and CVE-2012-6153 Apache Commons HttpClient 3.1 did not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Thanks to Alberto Fernandez Martinez for the patch. CVE-2014-3577 It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. The fix for CVE-2012-6153 was intended to address the incomplete patch for CVE-2012-5783. The issue is now completely resolved by applying this patch and the one for the previous CVEs This upload was prepared by Markus Koschany. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-04-28
    plugin id 83545
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83545
    title Debian DLA-222-1 : commons-httpclient security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9539.NASL
    description Security fix for CVE-2014-3577, CVE-2012-6153 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 77396
    published 2014-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77396
    title Fedora 19 : jakarta-commons-httpclient-3.1-15.fc19 (2014-9539)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1833.NASL
    description Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 79204
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79204
    title RHEL 4 / 5 / 6 : JBoss EWP (RHSA-2014:1833)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1162.NASL
    description Updated Red Hat JBoss Enterprise Application Platform 6.3.0 packages that fix two security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153) It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.3.0 on Red Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 77561
    published 2014-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77561
    title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:1162)
  • NASL family CGI abuses
    NASL id WEBSPHERE_PORTAL_8_0_0_1_CF15.NASL
    description The version of IBM WebSphere Portal installed on the remote host is 8.0.0.x prior to 8.0.0.1 CF15. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in 'Apache Commons HttpClient' that allows a man-in-the-middle attacker to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. (CVE-2012-6153) - A flaw exists in 'Apache HttpComponents' that allows a man-in-the-middle attacker to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. (CVE-2014-3577) - An unspecified vulnerability exists that allows an authenticated attacker to execute arbitrary code on the system. (CVE-2014-4808) - A flaw exists due to improper recursion detection during entity expansion. A remote attacker, via a specially crafted XML document, can cause the system to crash, resulting in a denial of service. (CVE-2014-4814) - An information disclosure vulnerability exists that allows a remote attacker to identify whether or not a file exists based on the web server error codes. (CVE-2014-4821) - A cross-site scripting vulnerability exists in the 'Preview' plugin in CKEditor, which allows a remote attacker to inject arbitrary data via unspecified vectors. (CVE-2014-5191) - A cross-site scripting vulnerability exists that allows an attacker to inject arbitrary web script or HTML via a specially crafted URL. (CVE-2014-6171) - A flaw exists when the Managed Pages setting is enabled that allows a remote, authenticated attacker to write to pages via an XML injection attack. (CVE-2014-6193) - A cross-site scripting vulnerability exists in the Blog Portlet, which allows an attacker to inject arbitrary data via a specially crafted URL. (CVE-2014-8902)
    last seen 2017-10-29
    modified 2015-04-20
    plugin id 82850
    published 2015-04-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82850
    title IBM WebSphere Portal 8.0.0.x < 8.0.0.1 CF15 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9617.NASL
    description Security fix for CVE-2014-3577 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 77444
    published 2014-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77444
    title Fedora 20 : httpcomponents-client-4.2.5-4.fc20 (2014-9617)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-9629.NASL
    description Security fix for CVE-2014-3577 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 77445
    published 2014-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77445
    title Fedora 19 : httpcomponents-client-4.2.5-4.fc19 (2014-9629)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-2019.NASL
    description Updated Red Hat JBoss Enterprise Application Platform 6.3.2 packages that fix three security issues are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that the Apache CXF incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) It was found that Apache WSS4J (Web Services Security for Java), as used by Apache CXF with the TransportBinding, did not, by default, properly enforce all security requirements associated with SAML SubjectConfirmation methods. A remote attacker could use this flaw to perform various types of spoofing attacks on web service endpoints secured by WSS4j that rely on SAML for authentication. (CVE-2014-3623) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. All users of Red Hat JBoss Enterprise Application Platform 6.3.2 on Red Hat Enterprise Linux 5, 6, and 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 80159
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80159
    title RHEL 5 / 6 / 7 : JBoss EAP (RHSA-2014:2019)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1166.NASL
    description Updated jakarta-commons-httpclient packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2016-05-04
    plugin id 77564
    published 2014-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77564
    title CentOS 5 / 6 / 7 : jakarta-commons-httpclient (CESA-2014:1166)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-1146.NASL
    description Updated httpcomponents-client packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2016-05-04
    plugin id 77507
    published 2014-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77507
    title CentOS 7 : httpcomponents-client (CESA-2014:1146)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1166.NASL
    description From Red Hat Security Advisory 2014:1166 : Updated jakarta-commons-httpclient packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2016-05-06
    plugin id 77566
    published 2014-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77566
    title Oracle Linux 5 / 6 / 7 : jakarta-commons-httpclient (ELSA-2014-1166)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1834.NASL
    description Updated packages for Red Hat JBoss Enterprise Application Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications, which integrates the JBoss Application Server with JBoss Hibernate and JBoss Seam. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153, CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Application Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 79205
    published 2014-11-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79205
    title RHEL 4 / 5 / 6 : JBoss EAP (RHSA-2014:1834)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1320.NASL
    description Updated packages for Red Hat JBoss Enterprise Web Platform 5.2.0 that fix two security issues are now available for Red Hat Enterprise Linux 4, 5, and 6. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Enterprise Web Platform is a platform for Java applications, which integrates the JBoss Web Server with JBoss Hibernate and JBoss Seam. It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2012-6153) It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) The CVE-2012-6153 issue was discovered by Florian Weimer of Red Hat Product Security. For additional information on these flaws, refer to the Knowledgebase article in the References section. All users of Red Hat JBoss Enterprise Web Platform 5.2.0 on Red Hat Enterprise Linux 4, 5, and 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 78007
    published 2014-10-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78007
    title RHEL 4 / 5 / 6 : JBoss EWP (RHSA-2014:1320)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-1166.NASL
    description Updated jakarta-commons-httpclient packages that fix one security issue are now available for Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 77567
    published 2014-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77567
    title RHEL 5 / 6 / 7 : jakarta-commons-httpclient (RHSA-2014:1166)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-1146.NASL
    description From Red Hat Security Advisory 2014:1146 : Updated httpcomponents-client packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
    last seen 2017-10-29
    modified 2016-05-06
    plugin id 77515
    published 2014-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77515
    title Oracle Linux 7 : httpcomponents-client (ELSA-2014-1146)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2769-1.NASL
    description It was discovered that Apache Commons HttpClient did not properly verify the Common Name or subjectAltName fields of X.509 certificates. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-5783) Florian Weimer discovered the fix for CVE-2012-5783 was incomplete for Apache Commons HttpClient. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-6153) Subodh Iyengar and Will Shackleton discovered the fix for CVE-2012-5783 was incomplete for Apache Commons HttpClient. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. (CVE-2014-3577) It was discovered that Apache Commons HttpClient did not properly handle read timeouts during HTTPS handshakes. A remote attacker could trigger this flaw to cause a denial of service. (CVE-2015-5262). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-24
    plugin id 86401
    published 2015-10-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86401
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : commons-httpclient vulnerabilities (USN-2769-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_AC18046C9B0811E68011005056925DB4.NASL
    description Apache Axis2 reports : Apache Axis2 1.7.4 is a maintenance release that includes fixes for several issues, including the following security issues : Session fixation (AXIS2-4739) and XSS (AXIS2-5683) vulnerabilities affecting the admin console. A dependency on an Apache HttpClient version affected by known security vulnerabilities (CVE-2012-6153 and CVE-2014-3577); see AXIS2-5757.
    last seen 2017-10-29
    modified 2016-10-31
    plugin id 94419
    published 2016-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94419
    title FreeBSD : Axis2 -- Security vulnerabilities on dependency Apache HttpClient (ac18046c-9b08-11e6-8011-005056925db4)
redhat via4
advisories
  • bugzilla
    id 1129074
    title CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment httpcomponents-client is earlier than 0:4.2.5-5.el7_0
          oval oval:com.redhat.rhsa:tst:20141146005
        • comment httpcomponents-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141146006
      • AND
        • comment httpcomponents-client-javadoc is earlier than 0:4.2.5-5.el7_0
          oval oval:com.redhat.rhsa:tst:20141146007
        • comment httpcomponents-client-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141146008
    rhsa
    id RHSA-2014:1146
    released 2014-09-03
    severity Important
    title RHSA-2014:1146: httpcomponents-client security update (Important)
  • bugzilla
    id 1129074
    title CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166002
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270015
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166008
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270021
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166004
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270019
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166006
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270017
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166014
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270006
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166020
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270010
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166016
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270012
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166018
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270008
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166026
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270006
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166028
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270010
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166029
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270012
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166027
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270008
    rhsa
    id RHSA-2014:1166
    released 2014-09-08
    severity Important
    title RHSA-2014:1166: jakarta-commons-httpclient security update (Important)
  • rhsa
    id RHSA-2014:1833
  • rhsa
    id RHSA-2014:1834
  • rhsa
    id RHSA-2014:1835
  • rhsa
    id RHSA-2014:1836
  • rhsa
    id RHSA-2014:1891
  • rhsa
    id RHSA-2014:1892
  • rhsa
    id RHSA-2015:0125
  • rhsa
    id RHSA-2015:0158
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0720
  • rhsa
    id RHSA-2015:0765
  • rhsa
    id RHSA-2015:0850
  • rhsa
    id RHSA-2015:0851
  • rhsa
    id RHSA-2015:1176
  • rhsa
    id RHSA-2015:1177
  • rhsa
    id RHSA-2015:1888
  • rhsa
    id RHSA-2016:1773
  • rhsa
    id RHSA-2016:1931
rpms
  • httpcomponents-client-0:4.2.5-5.el7_0
  • httpcomponents-client-javadoc-0:4.2.5-5.el7_0
  • jakarta-commons-httpclient-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-demo-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-javadoc-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-manual-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-demo-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-javadoc-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-manual-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-1:3.1-16.el7_0
  • jakarta-commons-httpclient-demo-1:3.1-16.el7_0
  • jakarta-commons-httpclient-javadoc-1:3.1-16.el7_0
  • jakarta-commons-httpclient-manual-1:3.1-16.el7_0
refmap via4
bid 69258
confirm
fulldisc 20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
misc http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
osvdb 110143
sectrack 1030812
secunia
  • 60466
  • 60589
  • 60713
ubuntu USN-2769-1
xf apache-cve20143577-spoofing(95327)
Last major update 10-01-2017 - 21:59
Published 21-08-2014 - 10:55
Last modified 04-01-2018 - 21:29
Back to Top