You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@chemistry.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/16 22:02:00 UTC

[jira] [Updated] (CMIS-1112) Customized HostnameVerifier bypasses the hostname verification

     [ https://issues.apache.org/jira/browse/CMIS-1112?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Ya Xiao updated CMIS-1112:
--------------------------
    Description: 
In file [chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|[https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java]] the customized HostnameVerfier allows all hostname to pass the verification (at Line 412).

*Security Impact*:

Hostname Verification is required to verify the identity of the other party. Bypassing it could allow man-in-the-middle attacks.

*Useful Resources*:

[https://cwe.mitre.org/data/definitions/297.html]

*Solution we suggest:*

Do not customize the HostnameVerifier or specify the verification logic instead of allowing all hostnames. 

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?

 

  was:
In file [chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|[https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java],] the customized HostnameVerfier allows all hostname to pass the verification (at Line 412).

*Security Impact*:

Hostname Verification is required to verify the identity of the other party. Bypassing it could allow man-in-the-middle attacks.

*Useful Resources*:

[https://cwe.mitre.org/data/definitions/297.html]

*Solution we suggest:*

Do not customize the HostnameVerifier or specify the verification logic instead of allowing all hostnames. 

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?

 


> Customized HostnameVerifier bypasses the hostname verification
> --------------------------------------------------------------
>
>                 Key: CMIS-1112
>                 URL: https://issues.apache.org/jira/browse/CMIS-1112
>             Project: Chemistry
>          Issue Type: Improvement
>            Reporter: Ya Xiao
>            Priority: Major
>              Labels: patch, security
>
> In file [chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|[https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java]] the customized HostnameVerfier allows all hostname to pass the verification (at Line 412).
> *Security Impact*:
> Hostname Verification is required to verify the identity of the other party. Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/297.html]
> *Solution we suggest:*
> Do not customize the HostnameVerifier or specify the verification logic instead of allowing all hostnames. 
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)