ID CVE-2014-3577
Summary org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
References
Vulnerable Configurations
  • Apache Software Foundation HttpClient 4.3.4
    cpe:2.3:a:apache:httpclient:4.3.4
  • Apache Software Foundation HttpClient 4.3.3
    cpe:2.3:a:apache:httpclient:4.3.3
  • Apache Software Foundation HttpClient 4.3.2
    cpe:2.3:a:apache:httpclient:4.3.2
  • Apache Software Foundation HttpClient 4.3.1
    cpe:2.3:a:apache:httpclient:4.3.1
  • Apache Software Foundation HttpClient 4.3
    cpe:2.3:a:apache:httpclient:4.3
  • Apache Software Foundation HttpClient 4.3 beta2
    cpe:2.3:a:apache:httpclient:4.3:beta2
  • Apache Software Foundation HttpClient 4.3 beta1
    cpe:2.3:a:apache:httpclient:4.3:beta1
  • Apache Software Foundation HttpClient 4.3 alpha1
    cpe:2.3:a:apache:httpclient:4.3:alpha1
  • Apache Software Foundation HttpClient 4.2.3
    cpe:2.3:a:apache:httpclient:4.2.3
  • Apache Software Foundation HttpClient 4.2.2
    cpe:2.3:a:apache:httpclient:4.2.2
  • Apache Software Foundation HttpClient 4.2.1
    cpe:2.3:a:apache:httpclient:4.2.1
  • Apache Software Foundation HttpClient 4.2
    cpe:2.3:a:apache:httpclient:4.2
  • Apache Software Foundation HttpClient 4.2 beta1
    cpe:2.3:a:apache:httpclient:4.2:beta1
  • Apache Software Foundation HttpClient 4.2 alpha1
    cpe:2.3:a:apache:httpclient:4.2:alpha1
  • Apache Software Foundation HttpClient 4.1.2
    cpe:2.3:a:apache:httpclient:4.1.2
  • Apache Software Foundation HttpClient 4.1.1
    cpe:2.3:a:apache:httpclient:4.1.1
  • Apache Software Foundation HttpClient 4.1
    cpe:2.3:a:apache:httpclient:4.1
  • Apache Software Foundation HttpClient 4.1 Beta 1
    cpe:2.3:a:apache:httpclient:4.1:beta1
  • Apache Software Foundation HttpClient 4.1 Alpha 2
    cpe:2.3:a:apache:httpclient:4.1:alpha2
  • Apache Software Foundation HttpClient 4.1 Alpha 1
    cpe:2.3:a:apache:httpclient:4.1:alpha1
  • Apache Software Foundation HttpClient 4.0.1
    cpe:2.3:a:apache:httpclient:4.0.1
  • Apache Software Foundation HttpClient 4.0
    cpe:2.3:a:apache:httpclient:4.0
  • Apache Software Foundation HttpClient 4.0 Beta 2
    cpe:2.3:a:apache:httpclient:4.0:beta2
  • Apache Software Foundation HttpClient 4.0 Beta 1
    cpe:2.3:a:apache:httpclient:4.0:beta1
  • Apache Software Foundation HttpClient 4.0 Alpha 4
    cpe:2.3:a:apache:httpclient:4.0:alpha4
  • Apache Software Foundation HttpClient 4.0 Alpha 3
    cpe:2.3:a:apache:httpclient:4.0:alpha3
  • Apache Software Foundation HttpClient 4.0 Alpha 2
    cpe:2.3:a:apache:httpclient:4.0:alpha2
  • Apache Software Foundation HttpClient 4.0 Alpha 1
    cpe:2.3:a:apache:httpclient:4.0:alpha1
  • Apache Software Foundation HttpAsyncClient 4.0.1
    cpe:2.3:a:apache:httpasyncclient:4.0.1
  • Apache Software Foundation HttpAsyncClient 4.0
    cpe:2.3:a:apache:httpasyncclient:4.0
  • Apache Software Foundation HttpAsyncClient 4.0 beta4
    cpe:2.3:a:apache:httpasyncclient:4.0:beta4
  • Apache Software Foundation HttpAsyncClient 4.0 beta3
    cpe:2.3:a:apache:httpasyncclient:4.0:beta3
  • Apache Software Foundation HttpAsyncClient 4.0 beta2
    cpe:2.3:a:apache:httpasyncclient:4.0:beta2
  • Apache Software Foundation HttpAsyncClient 4.0 beta1
    cpe:2.3:a:apache:httpasyncclient:4.0:beta1
  • Apache Software Foundation HttpAsyncClient 4.0 alpha3
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha3
  • Apache Software Foundation HttpAsyncClient 4.0 alpha2
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha2
  • Apache Software Foundation HttpAsyncClient 4.0 alpha1
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha1
CVSS
Base: 5.8 (as of 28-06-2016 - 13:02)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
redhat via4
advisories
  • bugzilla
    id 1129074
    title CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment httpcomponents-client is earlier than 0:4.2.5-5.el7_0
          oval oval:com.redhat.rhsa:tst:20141146005
        • comment httpcomponents-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141146006
      • AND
        • comment httpcomponents-client-javadoc is earlier than 0:4.2.5-5.el7_0
          oval oval:com.redhat.rhsa:tst:20141146007
        • comment httpcomponents-client-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141146008
    rhsa
    id RHSA-2014:1146
    released 2014-09-03
    severity Important
    title RHSA-2014:1146: httpcomponents-client security update (Important)
  • bugzilla
    id 1129074
    title CVE-2014-3577 Apache HttpComponents client: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166002
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270015
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166008
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270021
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166004
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270019
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166006
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270017
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166014
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270006
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166020
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270010
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166016
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270012
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166018
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270008
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166026
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270006
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166028
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270010
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166029
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270012
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166027
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270008
    rhsa
    id RHSA-2014:1166
    released 2014-09-08
    severity Important
    title RHSA-2014:1166: jakarta-commons-httpclient security update (Important)
  • rhsa
    id RHSA-2014:1833
  • rhsa
    id RHSA-2014:1834
  • rhsa
    id RHSA-2014:1835
  • rhsa
    id RHSA-2014:1836
  • rhsa
    id RHSA-2014:1891
  • rhsa
    id RHSA-2014:1892
  • rhsa
    id RHSA-2015:0125
  • rhsa
    id RHSA-2015:0158
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0720
  • rhsa
    id RHSA-2015:0765
  • rhsa
    id RHSA-2015:0850
  • rhsa
    id RHSA-2015:0851
  • rhsa
    id RHSA-2015:1176
  • rhsa
    id RHSA-2015:1177
rpms
  • httpcomponents-client-0:4.2.5-5.el7_0
  • httpcomponents-client-javadoc-0:4.2.5-5.el7_0
  • jakarta-commons-httpclient-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-demo-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-javadoc-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-manual-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-demo-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-javadoc-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-manual-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-1:3.1-16.el7_0
  • jakarta-commons-httpclient-demo-1:3.1-16.el7_0
  • jakarta-commons-httpclient-javadoc-1:3.1-16.el7_0
  • jakarta-commons-httpclient-manual-1:3.1-16.el7_0
refmap via4
bid 69258
confirm
fulldisc 20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
misc http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
osvdb 110143
sectrack 1030812
secunia
  • 60466
  • 60589
  • 60713
ubuntu USN-2769-1
xf apache-cve20143577-spoofing(95327)
Last major update 10-01-2017 - 21:59
Published 21-08-2014 - 10:55
Last modified 28-08-2017 - 21:34
Back to Top