You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@hc.apache.org by Miriam Celi <mc...@us.ibm.com> on 2016/05/17 14:35:45 UTC
Is Apache HTTPclient 4.2.5 vulnerable to CVE-2014-3577?
Hello HttpComponents Dev Team,
Our team is trying to figure out if Apache HTTPclient 4.2.5 is vulnerable
to CVE-2014-3577 (Apache HttpComponents certificate spoofing). I did not
see Apache HTTPclient 4.2.5 listed as a vulnerable version in the NIST
Vulnerability Database CVE article (
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577), but wanted
to check with you in case that version has been missed from the list or is
actually ok to use (not vulnerable). The list of vulnerable versions in the
article are:
Vulnerable software and versions
+ Configuration 1
+ OR
cpe:/a:apache:httpasyncclient:4.0.1 and previous versions
cpe:/a:apache:httpasyncclient:4.0
cpe:/a:apache:httpasyncclient:4.0:beta4
cpe:/a:apache:httpasyncclient:4.0:beta3
cpe:/a:apache:httpasyncclient:4.0:beta2
cpe:/a:apache:httpasyncclient:4.0:beta1
cpe:/a:apache:httpasyncclient:4.0:alpha3
cpe:/a:apache:httpasyncclient:4.0:alpha2
cpe:/a:apache:httpasyncclient:4.0:alpha1
+ Configuration 2
+ OR
cpe:/a:apache:httpclient:4.3.4 and previous versions
cpe:/a:apache:httpclient:4.3.3
cpe:/a:apache:httpclient:4.3.2
cpe:/a:apache:httpclient:4.3.1
cpe:/a:apache:httpclient:4.3
cpe:/a:apache:httpclient:4.3:beta2
cpe:/a:apache:httpclient:4.3:beta1
cpe:/a:apache:httpclient:4.3:alpha1
cpe:/a:apache:httpclient:4.2.3
cpe:/a:apache:httpclient:4.2.2
cpe:/a:apache:httpclient:4.2.1
cpe:/a:apache:httpclient:4.2
cpe:/a:apache:httpclient:4.2:beta1
cpe:/a:apache:httpclient:4.2:alpha1
cpe:/a:apache:httpclient:4.1.2
cpe:/a:apache:httpclient:4.1.1
cpe:/a:apache:httpclient:4.1
cpe:/a:apache:httpclient:4.1:beta1
cpe:/a:apache:httpclient:4.1:alpha2
cpe:/a:apache:httpclient:4.1:alpha1
cpe:/a:apache:httpclient:4.0.1
cpe:/a:apache:httpclient:4.0
cpe:/a:apache:httpclient:4.0:beta2
cpe:/a:apache:httpclient:4.0:beta1
cpe:/a:apache:httpclient:4.0:alpha4
cpe:/a:apache:httpclient:4.0:alpha3
cpe:/a:apache:httpclient:4.0:alpha2
cpe:/a:apache:httpclient:4.0:alpha1
Thank you for your assistance.
Best regards,
Miriam Celi
Security Architect
IBM Analytics - InfoSphere
Information Server
E-mail: mceli@us.ibm.com
Phone: 561.702.9206
(mobile)
"Security is everyone's responsibility"
Re: Is Apache HTTPclient 4.2.5 vulnerable to CVE-2014-3577?
Posted by Oleg Kalnichevski <ol...@apache.org>.
On Tue, 2016-05-17 at 10:35 -0400, Miriam Celi wrote:
> Hello HttpComponents Dev Team,
>
> Our team is trying to figure out if Apache HTTPclient 4.2.5 is
> vulnerable to CVE-2014-3577 (Apache HttpComponents certificate
> spoofing). I did not see Apache HTTPclient 4.2.5 listed as a
> vulnerable version in the NIST Vulnerability Database CVE article
> (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577), but
> wanted to check with you in case that version has been missed from the
> list or is actually ok to use (not vulnerable). The list of vulnerable
> versions in the article are:
>
All 4.2 versions are vulnerable
https://github.com/apache/httpclient/blob/4.2.x/httpclient/src/main/java/org/apache/http/conn/ssl/AbstractVerifier.java
Oleg
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@hc.apache.org
For additional commands, e-mail: dev-help@hc.apache.org