ID CVE-2014-3577
Summary org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. <a href="http://cwe.mitre.org/data/definitions/297.html" rel="nofollow">CWE-297: Improper Validation of Certificate with Host Mismatch</a>
References
Vulnerable Configurations
  • cpe:2.3:a:apache:httpclient:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0:alpha3:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0:alpha4:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:alpha4:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.0.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.1:alpha1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.1:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.1:alpha2:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.1:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.1:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.1:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.1.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.2:alpha1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.2:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.2:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.2:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3:alpha1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3:beta2:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3:beta2:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpclient:4.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpclient:4.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:alpha1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:alpha2:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha2:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:alpha3:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:alpha3:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:beta1:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:beta1:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:beta2:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:beta2:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:beta3:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:beta3:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0:beta4:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0:beta4:*:*:*:*:*:*
  • cpe:2.3:a:apache:httpasyncclient:4.0.1:*:*:*:*:*:*:*
    cpe:2.3:a:apache:httpasyncclient:4.0.1:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 19-07-2018 - 01:29)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
redhat via4
advisories
  • bugzilla
    id 1129074
    title CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment httpcomponents-client is earlier than 0:4.2.5-5.el7_0
          oval oval:com.redhat.rhsa:tst:20141146005
        • comment httpcomponents-client is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141146006
      • AND
        • comment httpcomponents-client-javadoc is earlier than 0:4.2.5-5.el7_0
          oval oval:com.redhat.rhsa:tst:20141146007
        • comment httpcomponents-client-javadoc is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20141146008
    rhsa
    id RHSA-2014:1146
    released 2014-09-03
    severity Important
    title RHSA-2014:1146: httpcomponents-client security update (Important)
  • bugzilla
    id 1129074
    title CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331001
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166002
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270015
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166008
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270021
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166004
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270019
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.0-7jpp.4.el5_10
            oval oval:com.redhat.rhsa:tst:20141166006
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20130270017
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhba:tst:20111656001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhba:tst:20111656002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhba:tst:20111656003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20111656004
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166014
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270006
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166020
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270010
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166016
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270012
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.1-0.9.el6_5
            oval oval:com.redhat.rhsa:tst:20141166018
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270008
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhba:tst:20150364001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhba:tst:20150364002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhba:tst:20150364003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhba:tst:20150364004
      • OR
        • AND
          • comment jakarta-commons-httpclient is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166026
          • comment jakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270006
        • AND
          • comment jakarta-commons-httpclient-demo is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166028
          • comment jakarta-commons-httpclient-demo is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270010
        • AND
          • comment jakarta-commons-httpclient-javadoc is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166029
          • comment jakarta-commons-httpclient-javadoc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270012
        • AND
          • comment jakarta-commons-httpclient-manual is earlier than 1:3.1-16.el7_0
            oval oval:com.redhat.rhsa:tst:20141166027
          • comment jakarta-commons-httpclient-manual is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20130270008
    rhsa
    id RHSA-2014:1166
    released 2014-09-08
    severity Important
    title RHSA-2014:1166: jakarta-commons-httpclient security update (Important)
  • rhsa
    id RHSA-2014:1833
  • rhsa
    id RHSA-2014:1834
  • rhsa
    id RHSA-2014:1835
  • rhsa
    id RHSA-2014:1836
  • rhsa
    id RHSA-2014:1891
  • rhsa
    id RHSA-2014:1892
  • rhsa
    id RHSA-2015:0125
  • rhsa
    id RHSA-2015:0158
  • rhsa
    id RHSA-2015:0675
  • rhsa
    id RHSA-2015:0720
  • rhsa
    id RHSA-2015:0765
  • rhsa
    id RHSA-2015:0850
  • rhsa
    id RHSA-2015:0851
  • rhsa
    id RHSA-2015:1176
  • rhsa
    id RHSA-2015:1177
  • rhsa
    id RHSA-2015:1888
  • rhsa
    id RHSA-2016:1773
  • rhsa
    id RHSA-2016:1931
rpms
  • httpcomponents-client-0:4.2.5-5.el7_0
  • httpcomponents-client-javadoc-0:4.2.5-5.el7_0
  • jakarta-commons-httpclient-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-demo-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-javadoc-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-manual-1:3.0-7jpp.4.el5_10
  • jakarta-commons-httpclient-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-demo-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-javadoc-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-manual-1:3.1-0.9.el6_5
  • jakarta-commons-httpclient-1:3.1-16.el7_0
  • jakarta-commons-httpclient-demo-1:3.1-16.el7_0
  • jakarta-commons-httpclient-javadoc-1:3.1-16.el7_0
  • jakarta-commons-httpclient-manual-1:3.1-16.el7_0
refmap via4
bid 69258
confirm
fulldisc 20140818 CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack
misc http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-Middle.html
osvdb 110143
sectrack 1030812
secunia
  • 60466
  • 60589
  • 60713
ubuntu USN-2769-1
xf apache-cve20143577-spoofing(95327)
Last major update 19-07-2018 - 01:29
Published 21-08-2014 - 14:55
Back to Top