You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@airavata.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/17 00:04:00 UTC
[jira] [Updated] (AIRAVATA-3402) Customized TrustManager bypasses
certificate verification
[ https://issues.apache.org/jira/browse/AIRAVATA-3402?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ya Xiao updated AIRAVATA-3402:
------------------------------
Description:
We found a security vulnerability in file [airavata/tools/load-client/src/main/java/org/apache/airavata/tools/load/SecurityManager.java|https://github.com/apache/airavata/blob/bbcaf8d194c0409f14b968a4a22e55850257e1ae/tools/load-client/src/main/java/org/apache/airavata/tools/load/SecurityManager.java]. The customized TrustManger (at Line 18) allows all certificates to pass the verification.
*Security Impact*:
The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/295.html]
[https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
*Solution we suggest:*
Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See [here|https://developer.android.com/training/articles/security-ssl] to securely allow self-signed certificates and other common cases.
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
was:
We found a security vulnerability in file [airavata/tools/load-client/src/main/java/org/apache/airavata/tools/load/SecurityManager.java|https://github.com/apache/airavata/blob/bbcaf8d194c0409f14b968a4a22e55850257e1ae/tools/load-client/src/main/java/org/apache/airavata/tools/load/SecurityManager.java]. The customized TrustManger (at Line 18) allows all certificates to pass the verification.
*Security Impact*:
The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/295.html]
[https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
*Solution we suggest:*
Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See [here|https://developer.android.com/training/articles/security-ssl] to securely allow self-signed certificates and other commen cases.
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
> Key: AIRAVATA-3402
> URL: https://issues.apache.org/jira/browse/AIRAVATA-3402
> Project: Airavata
> Issue Type: Improvement
> Reporter: Ya Xiao
> Priority: Major
>
> We found a security vulnerability in file [airavata/tools/load-client/src/main/java/org/apache/airavata/tools/load/SecurityManager.java|https://github.com/apache/airavata/blob/bbcaf8d194c0409f14b968a4a22e55850257e1ae/tools/load-client/src/main/java/org/apache/airavata/tools/load/SecurityManager.java]. The customized TrustManger (at Line 18) allows all certificates to pass the verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to implement the certificate validation logic. Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic instead of allowing all certificates. See [here|https://developer.android.com/training/articles/security-ssl] to securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)