SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Apache Axis Vendors:   Apache Software Foundation
Apache Axis Certificate Validation Flaw Lets Remote Users Spoof Server Certificates
SecurityTracker Alert ID:  1030745
SecurityTracker URL:  http://securitytracker.com/id/1030745
CVE Reference:   CVE-2014-3596   (Links to External Site)
Date:  Aug 20 2014
Impact:   Modification of authentication information
Vendor Confirmed:  Yes  
Version(s): Axis 1
Description:   A vulnerability was reported in Apache Axis. A remote user can spoof certificates.

A remote user with the ability to conduct a man-in-the-middle attack can exploit a flaw in the getCN() method in the validation of the subjet's CN field to spoof a valid certificate.

The vulnerability is due to an incomplete patch for CVE-2012-5784.

David Jorm of Red Hat Product Security reported this vulnerability.

Impact:   A remote user can spoof certificates.
Solution:   No solution was available at the time of this entry.

A proposed patch is available at:

https://issues.apache.org/jira/browse/AXIS-2905

Vendor URL:  axis.apache.org/axis/ (Links to External Site)
Cause:   Authentication error

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 15 2014 (Red Hat Issues Fix) Apache Axis Certificate Validation Flaw Lets Remote Users Spoof Server Certificates
Red Hat has issued a fix for Red Hat Enterprise Linux 5 and 6.
May 14 2015 (Red Hat Issues Fix for JBoss Portal) Apache Axis Certificate Validation Flaw Lets Remote Users Spoof Server Certificates
Red Hat has issued an advisory for JBoss Portal.



 Source Message Contents

Subject:  [oss-security] CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack

Hi All

I noticed that the fix for CVE-2012-5784 was incomplete. The code added 
to check that the server hostname matches the domain name in the 
subject's CN field was flawed. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can spoof a valid 
certificate using a specially crafted subject.

Note that Axis 1 is EOL upstream, and the incomplete patch for 
CVE-2012-5784 was never merged upstream. It was, however, shipped by 
various vendors, including Debian and Red Hat. I do not believe Axis 2 
is affected.

The incomplete patch:

https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch

Is attached to this issue:

https://issues.apache.org/jira/browse/AXIS-2883

The flaw exists in the getCN(String) method. An attacker could craft a 
subject that includes a CN in a field other than the CN, and this CN 
would be used when validating the hostname.

Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this 
issue from the Red Hat CNA. I have now made this issue public:

https://access.redhat.com/security/cve/CVE-2014-3596

An upstream bug, along with a proposed patch, is available here:

https://issues.apache.org/jira/browse/AXIS-2905

Thanks
--
David Jorm / Red Hat Product Security
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC