Is Apache HTTPclient 4.2.5 vulnerable to CVE-2014-3577?

[Miriam Celi <mc...@us.ibm.com>]

Hello HttpComponents Dev Team,

Our team is trying to figure out if Apache HTTPclient 4.2.5 is vulnerable
to CVE-2014-3577 (Apache HttpComponents certificate spoofing). I did not
see Apache HTTPclient 4.2.5 listed as a vulnerable version in the NIST
Vulnerability Database CVE article (
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577), but wanted
to check with you in case that version has been missed from the list or is
actually ok to use (not vulnerable). The list of vulnerable versions in the
article are:

Vulnerable software and versions
+ Configuration 1
+ OR
cpe:/a:apache:httpasyncclient:4.0.1 and previous versions
cpe:/a:apache:httpasyncclient:4.0
cpe:/a:apache:httpasyncclient:4.0:beta4
cpe:/a:apache:httpasyncclient:4.0:beta3
cpe:/a:apache:httpasyncclient:4.0:beta2
cpe:/a:apache:httpasyncclient:4.0:beta1
cpe:/a:apache:httpasyncclient:4.0:alpha3
cpe:/a:apache:httpasyncclient:4.0:alpha2
cpe:/a:apache:httpasyncclient:4.0:alpha1
+ Configuration 2
+ OR
cpe:/a:apache:httpclient:4.3.4 and previous versions
cpe:/a:apache:httpclient:4.3.3
cpe:/a:apache:httpclient:4.3.2
cpe:/a:apache:httpclient:4.3.1
cpe:/a:apache:httpclient:4.3
cpe:/a:apache:httpclient:4.3:beta2
cpe:/a:apache:httpclient:4.3:beta1
cpe:/a:apache:httpclient:4.3:alpha1
cpe:/a:apache:httpclient:4.2.3
cpe:/a:apache:httpclient:4.2.2
cpe:/a:apache:httpclient:4.2.1
cpe:/a:apache:httpclient:4.2
cpe:/a:apache:httpclient:4.2:beta1
cpe:/a:apache:httpclient:4.2:alpha1
cpe:/a:apache:httpclient:4.1.2
cpe:/a:apache:httpclient:4.1.1
cpe:/a:apache:httpclient:4.1
cpe:/a:apache:httpclient:4.1:beta1
cpe:/a:apache:httpclient:4.1:alpha2
cpe:/a:apache:httpclient:4.1:alpha1
cpe:/a:apache:httpclient:4.0.1
cpe:/a:apache:httpclient:4.0
cpe:/a:apache:httpclient:4.0:beta2
cpe:/a:apache:httpclient:4.0:beta1
cpe:/a:apache:httpclient:4.0:alpha4
cpe:/a:apache:httpclient:4.0:alpha3
cpe:/a:apache:httpclient:4.0:alpha2
cpe:/a:apache:httpclient:4.0:alpha1

Thank you for your assistance.

Best regards,
                                                                      
                                                                      
                                                                      
 Miriam Celi                                                          
 Security Architect                                                   
 IBM Analytics - InfoSphere                                           
 Information Server                                                   
                                                                      
 E-mail: mceli@us.ibm.com                                             
 Phone: 561.702.9206                                                  
 (mobile)                                                             
                                                                      

      "Security is everyone's responsibility"

Re: Is Apache HTTPclient 4.2.5 vulnerable to CVE-2014-3577?

[Oleg Kalnichevski <ol...@apache.org>]

On Tue, 2016-05-17 at 10:35 -0400, Miriam Celi wrote:
> Hello HttpComponents Dev Team,
> 
> Our team is trying to figure out if Apache HTTPclient 4.2.5 is
> vulnerable to CVE-2014-3577 (Apache HttpComponents certificate
> spoofing). I did not see Apache HTTPclient 4.2.5 listed as a
> vulnerable version in the NIST Vulnerability Database CVE article
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577), but
> wanted to check with you in case that version has been missed from the
> list or is actually ok to use (not vulnerable). The list of vulnerable
> versions in the article are:
> 

All 4.2 versions are vulnerable

https://github.com/apache/httpclient/blob/4.2.x/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java

Oleg


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org