You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Nilesh Shinde (JIRA)" <ji...@apache.org> on 2017/04/13 04:03:41 UTC

[jira] [Commented] (AXIS2-5757) Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577

    [ https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15967085#comment-15967085 ] 

Nilesh Shinde commented on AXIS2-5757:
--------------------------------------

Where and how I can access the builds with fixes or patch to fix these issues. I am trying to refer the link shared here, yet the link not working.
NOT WORKING : https://builds.apache.org/job/axis2-1.7/72/

Why I need this: 

CVE-2015-5262 - http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors

CVE-2012-6153 - http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783

CVE-2014-3577 - org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field

CVE-2012-5783 - Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2011-1498 - Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.

Action I want to perform is upgrade to version 4.3.6+. of commons-httpclient-4.3*.*.jar, tried to replacing it however it failed at runtime with errors as below:

ERROR [http-nio-8090-exec-1] (WarBasedAxisConfigurator.java:180) - org/apache/commons/httpclient/HttpException
org.apache.axis2.deployment.DeploymentException: org/apache/commons/httpclient/HttpException
	at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:699)
	at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:123)


> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153, CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5757
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5757
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
>         Environment: Axis2 used as a Web Service Provider for an application
>            Reporter: Deepak
>            Assignee: Andreas Veithen
>              Labels: security
>             Fix For: 1.7.4
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153, CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1  is susceptible to CVE-2012-6153, CVE-2014-3577 
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed in the upcoming 1.7.2 or 1.8 release or any other release. If yes, when would that be. Reason for this query is our application uses Axis2 and and hence exposed to this vulnerability. 
> Thanks,
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org