Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <53F4217A.203@redhat.com>
Date: Wed, 20 Aug 2014 14:18:02 +1000
From: David Jorm <djorm@...hat.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack

Hi All

I noticed that the fix for CVE-2012-5784 was incomplete. The code added 
to check that the server hostname matches the domain name in the 
subject's CN field was flawed. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can spoof a valid 
certificate using a specially crafted subject.

Note that Axis 1 is EOL upstream, and the incomplete patch for 
CVE-2012-5784 was never merged upstream. It was, however, shipped by 
various vendors, including Debian and Red Hat. I do not believe Axis 2 
is affected.

The incomplete patch:

https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch

Is attached to this issue:

https://issues.apache.org/jira/browse/AXIS-2883

The flaw exists in the getCN(String) method. An attacker could craft a 
subject that includes a CN in a field other than the CN, and this CN 
would be used when validating the hostname.

Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this 
issue from the Red Hat CNA. I have now made this issue public:

https://access.redhat.com/security/cve/CVE-2014-3596

An upstream bug, along with a proposed patch, is available here:

https://issues.apache.org/jira/browse/AXIS-2905

Thanks
--
David Jorm / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.