You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2020/05/06 07:53:27 UTC

[GitHub] [cloudstack] Mahir92 opened a new issue #4058: Usage of Empty TrustManager Methods is insecure

Mahir92 opened a new issue #4058:
URL: https://github.com/apache/cloudstack/issues/4058


   **Vulnerability Description:** In “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”, inside private static class TrustAllTrustManager implements TrustManager, X509TrustManager, the overridden methods have no body -
   
   `public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException`
   `public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException`
   
   **Reason it’s vulnerable:** If a method responsible for checking certificates doesn’t have any body, then it will trust all certificates.
   
   **Suggested Fix:** Adding necessary certificate verification logic in the overridden methods.
   
   **Feedback:** Please select any of the options down below to help us get an idea about how you felt about the suggestion -
   
   1. Liked it and will make the suggested changes
   2. Liked it but happy with the existing version
   3. Didn’t find the suggestion helpful


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org