You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Andreas Veithen (JIRA)" <ax...@ws.apache.org> on 2016/09/26 07:41:21 UTC
[jira] [Issue Comment Deleted] (AXIS-2905) Insecure certificate
validation CVE-2014-3596
[ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen updated AXIS-2905:
----------------------------------
Comment: was deleted
(was: doesnt compile with JDK 1.8.0_40-b26
Warning: Binary file .\javax\security\cert\X509Certificate contains javax.security.cert.X509Certificate
public abstract java.security.Principal getSubjectDN();
suggest backing out patch or reverting to previous version asap)
> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
> Key: AXIS-2905
> URL: https://issues.apache.org/jira/browse/AXIS-2905
> Project: Axis
> Issue Type: Bug
> Affects Versions: 1.4
> Reporter: David Jorm
> Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org