You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@chemistry.apache.org by "Florian Müller (Jira)" <ji...@apache.org> on 2021/01/17 14:51:00 UTC

[jira] [Resolved] (CMIS-1113) Customized TrustManager bypasses certificate verification

     [ https://issues.apache.org/jira/browse/CMIS-1113?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Florian Müller resolved CMIS-1113.
----------------------------------
    Resolution: Not A Problem

See CMIS-1112.

> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
>                 Key: CMIS-1113
>                 URL: https://issues.apache.org/jira/browse/CMIS-1113
>             Project: Chemistry
>          Issue Type: Improvement
>            Reporter: Ya Xiao
>            Priority: Major
>
> We found a security vulnerability in file [chemistry-opencmis/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java]. The customized TrustManger (at Line 393) allows all certificates to pass the verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. To accept self-signed certificates, a proper way is to configure the trust store (see https://developer.android.com/training/articles/security-ssl#SelfSigned). Adding the certificate or its signer in the trust store can allow the self-signed certificate as well as avoiding SSL spoofing. 
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)