You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/24 01:38:00 UTC
[jira] [Comment Edited] (CMIS-1112) Customized HostnameVerifier
bypasses the hostname verification
[ https://issues.apache.org/jira/browse/CMIS-1112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270796#comment-17270796 ]
Ya Xiao edited comment on CMIS-1112 at 1/24/21, 1:37 AM:
---------------------------------------------------------
Thank you so much for replying. We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The reported one is what we got from certain tools.
We'll so appreciate it if you can give us some information about the following questions. Your feedback is important for us to help improve the state-of-the-art.
# What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful?
# Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to?
# What kind of supports do you expect from a useful bug detector? E.g. Demonstration of exploits or some customized fixing suggestions?
was (Author: yaxiao):
Thank you so much for replying. We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The reported one is what we got from certain tools.
We'll so appreciate it if you can give us some information about the following questions. Your feedback is important for us to help improve the state-of-the-art.
# What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful?
# Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to?
# What kind of supports do you expect from a useful bug detector? E.g. Demonstration of exploits or some customized fixing suggestions?
* [|https://issues.apache.org/jira/secure/AddComment!default.jspa?id=13352740]
> Customized HostnameVerifier bypasses the hostname verification
> --------------------------------------------------------------
>
> Key: CMIS-1112
> URL: https://issues.apache.org/jira/browse/CMIS-1112
> Project: Chemistry
> Issue Type: Improvement
> Reporter: Ya Xiao
> Priority: Major
> Labels: patch, security
>
> In file [chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java] , the customized HostnameVerfier allows all hostname to pass the verification (at Line 412).
> *Security Impact*:
> Hostname Verification is required to verify the identity of the other party. Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/297.html]
> *Solution we suggest:*
> Do not customize the HostnameVerifier or specify the verification logic instead of allowing all hostnames.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)