You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Md Mahir Asef Kabir (Jira)" <ji...@apache.org> on 2020/05/06 03:20:00 UTC

[jira] [Created] (CLOUDSTACK-10421) Usage of Empty TrustManager Methods is insecure

Md Mahir Asef Kabir created CLOUDSTACK-10421:
------------------------------------------------

             Summary: Usage of Empty TrustManager Methods is insecure
                 Key: CLOUDSTACK-10421
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10421
             Project: CloudStack
          Issue Type: Improvement
      Security Level: Public (Anyone can view this level - this is the default.)
            Reporter: Md Mahir Asef Kabir


*Vulnerability Description:* In “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”, inside private static class TrustAllTrustManager implements TrustManager, X509TrustManager, the overridden methods have no body - 

{code:java}
public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException

{code}


*Reason it’s vulnerable:* If a method responsible for checking certificates doesn’t have any body, then it will trust all certificates.


*Suggested Fix:* Adding necessary certificate verification logic in the overridden methods.


*Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - 

# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)