BDU:2024-08705

Опубликовано: 18 авг. 2014

Источник: fstec

CVSS3: 6.5

CVSS2: 6.4

EPSS Низкий

Описание

Уязвимость клиентского модуля Apache HttpClient средства Apache HttpComponents связана с неправильным подтверждением подлинности сертификата SSL/TLS. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, подменить SSL-серверы путем изменения содержимого в поле distincted name (DN)

Вендор

Red Hat Inc.

Canonical Ltd.

Novell Inc.

Сообщество свободного программного обеспечения

IBM Corp.

Apache Software Foundation

Наименование ПО

Red Hat Enterprise Virtualization

Red Hat Enterprise Linux

Ubuntu

SUSE Linux Enterprise Server for SAP Applications

SUSE OpenStack Cloud

Red Hat Virtualization

SUSE Linux Enterprise Module for Basesystem

SUSE Enterprise Storage

SUSE Linux Enterprise Point of Sale

Suse Linux Enterprise Server

OpenSUSE Leap

SUSE OpenStack Cloud Crowbar

Red Hat Satellite

Jboss Operations Network

Red Hat Software Collections

SUSE Linux Enterprise High Performance Computing

openSUSE Tumbleweed

Red Hat Storage

Red Hat JBoss Data Virtualization

SUSE Manager Proxy

SUSE Manager Retail Branch Server

SUSE Manager Server

Debian GNU/Linux

Red Hat JBoss Fuse Service Works

Red Hat JBoss SOA Platform

Red Hat OpenShift Enterprise

Suse Linux Enterprise Desktop

Red Hat JBoss Data Grid

Red Hat OpenShift Container Platform

Red Hat JBoss Fuse

Red Hat JBoss Enterprise Application Platform

SUSE Liberty Linux

IBM Storwize V5000

Red Hat Jboss Enterprise Web Platform

Red Hat JBoss BPMS

Jboss Portal

Red Hat JBoss Web Framework Kit

Red Hat JBoss Web Platform

RHEV Manager

Red Hat JBoss Enterprise Web Server

Apache HttpClient

Apache HttpAsyncClient

Red Hat JBoss A-MQ

Версия ПО

3 (Red Hat Enterprise Virtualization)

5 (Red Hat Enterprise Linux)

6 (Red Hat Enterprise Linux)

7 (Red Hat Enterprise Linux)

12.04 (Ubuntu)

15.04 (Ubuntu)

12 SP2 (SUSE Linux Enterprise Server for SAP Applications)

12 SP3 (SUSE Linux Enterprise Server for SAP Applications)

12 SP4 (SUSE Linux Enterprise Server for SAP Applications)

7 (SUSE OpenStack Cloud)

4 (Red Hat Virtualization)

15 SP1 (SUSE Linux Enterprise Module for Basesystem)

5 (SUSE Enterprise Storage)

12 SP2-CLIENT (SUSE Linux Enterprise Point of Sale)

12 SP2-ESPOS (Suse Linux Enterprise Server)

15.1 (OpenSUSE Leap)

15 (SUSE Linux Enterprise Server for SAP Applications)

15 SP1 (SUSE Linux Enterprise Server for SAP Applications)

12 SP2-LTSS (Suse Linux Enterprise Server)

12 SP3-LTSS (Suse Linux Enterprise Server)

14.04 ESM (Ubuntu)

8 (SUSE OpenStack Cloud)

12 SP3-BCL (Suse Linux Enterprise Server)

12 SP5 (Suse Linux Enterprise Server)

12 SP5 (SUSE Linux Enterprise Server for SAP Applications)

8 (SUSE OpenStack Cloud Crowbar)

5.0 (Red Hat Satellite)

6.0 (Red Hat Satellite)

3.3 (Jboss Operations Network)

6 (SUSE Enterprise Storage)

- (Red Hat Software Collections)

12 SP3-ESPOS (Suse Linux Enterprise Server)

9 (SUSE OpenStack Cloud)

9 (SUSE OpenStack Cloud Crowbar)

15-ESPOS (SUSE Linux Enterprise High Performance Computing)

15-LTSS (SUSE Linux Enterprise High Performance Computing)

15-LTSS (Suse Linux Enterprise Server)

- (openSUSE Tumbleweed)

3 (Red Hat Storage)

15 SP2 (SUSE Linux Enterprise Module for Basesystem)

6 (Red Hat JBoss Data Virtualization)

3.0 (Jboss Operations Network)

15.2 (OpenSUSE Leap)

12 SP4-ESPOS (Suse Linux Enterprise Server)

12 SP4-LTSS (Suse Linux Enterprise Server)

4.0 (SUSE Manager Proxy)

4.0 (SUSE Manager Retail Branch Server)

4.0 (SUSE Manager Server)

15 SP3 (SUSE Linux Enterprise Module for Basesystem)

15 SP1 (Suse Linux Enterprise Server)

11 (Debian GNU/Linux)

12 (Debian GNU/Linux)

6 (Red Hat JBoss Fuse Service Works)

5 (Red Hat JBoss SOA Platform)

2 (Red Hat OpenShift Enterprise)

15 SP3 (SUSE Linux Enterprise High Performance Computing)

15 SP3 (Suse Linux Enterprise Server)

15 SP3 (SUSE Linux Enterprise Server for SAP Applications)

4.2 (SUSE Manager Proxy)

4.2 (SUSE Manager Server)

15 SP3 (Suse Linux Enterprise Desktop)

7 (SUSE Enterprise Storage)

15 SP2 (Suse Linux Enterprise Server)

15 SP2 (SUSE Linux Enterprise Server for SAP Applications)

4.1 (SUSE Manager Server)

4.1 (SUSE Manager Proxy)

4.1 (SUSE Manager Retail Branch Server)

15 SP4 (Suse Linux Enterprise Server)

15 SP2 (Suse Linux Enterprise Desktop)

15 SP2 (SUSE Linux Enterprise High Performance Computing)

15 SP4 (Suse Linux Enterprise Desktop)

15 SP4 (SUSE Linux Enterprise Server for SAP Applications)

4.2 (SUSE Manager Retail Branch Server)

6 (Red Hat JBoss Data Grid)

4.3 (SUSE Manager Retail Branch Server)

4.3 (SUSE Manager Proxy)

4.3 (SUSE Manager Server)

15 SP4 (SUSE Linux Enterprise High Performance Computing)

4.10 (Red Hat OpenShift Container Platform)

15 SP1 (Suse Linux Enterprise Desktop)

6.2 (Red Hat JBoss Fuse)

7.1 (SUSE Enterprise Storage)

15 SP4 (SUSE Linux Enterprise Module for Basesystem)

15 SP1 (SUSE Linux Enterprise High Performance Computing)

15 SP5 (SUSE Linux Enterprise Server for SAP Applications)

15 SP5 (Suse Linux Enterprise Server)

15 SP5 (Suse Linux Enterprise Desktop)

15 SP5 (SUSE Linux Enterprise High Performance Computing)

15 SP5 (SUSE Linux Enterprise Module for Basesystem)

6 (Red Hat JBoss Enterprise Application Platform)

5 (Red Hat JBoss Enterprise Application Platform)

7 (SUSE Liberty Linux)

15 SP6 (Suse Linux Enterprise Desktop)

15 SP6 (Suse Linux Enterprise Server)

15 SP6 (SUSE Linux Enterprise Server for SAP Applications)

15 SP6 (SUSE Linux Enterprise High Performance Computing)

15 SP6 (SUSE Linux Enterprise Module for Basesystem)

7.8.1.10 (IBM Storwize V5000)

5 for RHEL 5 (Red Hat Jboss Enterprise Web Platform)

5 for RHEL 6 (Red Hat Jboss Enterprise Web Platform)

6 (Red Hat JBoss BPMS)

6.1 (Red Hat JBoss Data Virtualization)

6.2 (Jboss Portal)

5.3 (Red Hat JBoss SOA Platform)

2.7 (Red Hat JBoss Web Framework Kit)

5.2 (Red Hat JBoss Web Platform)

3.5 (RHEV Manager)

4 (Red Hat JBoss Enterprise Application Platform)

1 (Red Hat JBoss Enterprise Web Server)

5 (Jboss Portal)

6 (Jboss Portal)

от 4.0.0 до 4.3.4 включительно (Apache HttpClient)

от 4.0.0 до 4.0.1 включительно (Apache HttpAsyncClient)

7 LTSS (SUSE Liberty Linux)

1 (Red Hat OpenShift Enterprise)

6.2 (Red Hat JBoss A-MQ)

5 (Red Hat JBoss BPMS)

5 for RHEL 4 (Red Hat JBoss Enterprise Application Platform)

5 for RHEL 5 (Red Hat JBoss Enterprise Application Platform)

5 for RHEL 6 (Red Hat JBoss Enterprise Application Platform)

5.2 (Red Hat JBoss Enterprise Application Platform)

6.3 (Red Hat JBoss Enterprise Application Platform)

6.3 for RHEL 5 (Red Hat JBoss Enterprise Application Platform)

6.3 for RHEL 6 (Red Hat JBoss Enterprise Application Platform)

6.3 for RHEL 7 (Red Hat JBoss Enterprise Application Platform)

4.3 (Red Hat JBoss SOA Platform)

2.2 (Red Hat OpenShift Enterprise)

1 for Red Hat Enterprise Linux 6 (Red Hat Software Collections)

1 for Red Hat Enterprise Linux 6.4 EUS (Red Hat Software Collections)

2.1 (Red Hat Storage)

Тип ПО

Операционная система

Прикладное ПО информационных систем

ПО виртуализации/ПО виртуального программно-аппаратного средства

Сетевое средство

Операционные системы и аппаратные платформы

Red Hat Inc. Red Hat Enterprise Virtualization 3

Red Hat Inc. Red Hat Enterprise Linux 5

Red Hat Inc. Red Hat Enterprise Linux 6

Red Hat Inc. Red Hat Enterprise Linux 7

Canonical Ltd. Ubuntu 12.04

Canonical Ltd. Ubuntu 15.04

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP2

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP3

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP4

Novell Inc. Suse Linux Enterprise Server 12 SP2-ESPOS

Novell Inc. OpenSUSE Leap 15.1

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP1

Novell Inc. Suse Linux Enterprise Server 12 SP2-LTSS

Novell Inc. Suse Linux Enterprise Server 12 SP3-LTSS

Canonical Ltd. Ubuntu 14.04 ESM

Novell Inc. Suse Linux Enterprise Server 12 SP3-BCL

Novell Inc. Suse Linux Enterprise Server 12 SP5

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5

Novell Inc. Suse Linux Enterprise Server 12 SP3-ESPOS

Novell Inc. Suse Linux Enterprise Server 15-LTSS

Novell Inc. openSUSE Tumbleweed -

Novell Inc. OpenSUSE Leap 15.2

Novell Inc. Suse Linux Enterprise Server 12 SP4-ESPOS

Novell Inc. Suse Linux Enterprise Server 12 SP4-LTSS

Novell Inc. Suse Linux Enterprise Server 15 SP1

Сообщество свободного программного обеспечения Debian GNU/Linux 11

Сообщество свободного программного обеспечения Debian GNU/Linux 12

Novell Inc. Suse Linux Enterprise Server 15 SP3

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP3

Novell Inc. Suse Linux Enterprise Desktop 15 SP3

Novell Inc. Suse Linux Enterprise Server 15 SP2

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP2

Novell Inc. Suse Linux Enterprise Server 15 SP4

Novell Inc. Suse Linux Enterprise Desktop 15 SP2

Novell Inc. Suse Linux Enterprise Desktop 15 SP4

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP4

Novell Inc. Suse Linux Enterprise Desktop 15 SP1

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP5

Novell Inc. Suse Linux Enterprise Server 15 SP5

Novell Inc. Suse Linux Enterprise Desktop 15 SP5

Novell Inc. SUSE Liberty Linux 7

Novell Inc. Suse Linux Enterprise Desktop 15 SP6

Novell Inc. Suse Linux Enterprise Server 15 SP6

Novell Inc. SUSE Linux Enterprise Server for SAP Applications 15 SP6

Novell Inc. SUSE Liberty Linux 7 LTSS

Уровень опасности уязвимости

Средний уровень опасности (базовая оценка CVSS 2.0 составляет 6,4)

Средний уровень опасности (базовая оценка CVSS 3.0 составляет 6,5)

Возможные меры по устранению уязвимости

Использование рекомендаций:

Для программных продуктов Apache Software Foundation:

https://issues.apache.org/jira/browse/DRILL-7416

Для Debian GNU/Linux:

https://security-tracker.debian.org/tracker/CVE-2014-3577

Для программных продуктов Red Hat Inc.:

https://access.redhat.com/security/cve/CVE-2014-3577

Для Ubuntu:

https://ubuntu.com/security/notices/USN-2769-1

Для программных продуктов Novell Inc.:

https://www.suse.com/security/cve/CVE-2014-3577.html

Для IBM Storwize V5000:

Компенсирующие меры:

- минимизация пользовательских привилегий;

- отключение/удаление неиспользуемых учётных записей пользователей;

- ограничение доступа из общедоступных сетей (Интернет);

- использование виртуальных частных сетей для организации удаленного доступа (VPN).

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Существует в открытом доступе

Информация об устранении

Уязвимость устранена

Ссылки на источники

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 79%

0.01367

Низкий

6.5 Medium

CVSS3

6.4 Medium

CVSS2

Связанные уязвимости

CVE-2014-3577

ubuntu

около 11 лет назад

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

CVE-2014-3577

CVSS3: 4.8

redhat

около 11 лет назад

CVE-2014-3577

nvd

около 11 лет назад

CVE-2014-3577

debian

около 11 лет назад

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents Htt ...

GHSA-cfh5-3ghh-wfjx

github

почти 7 лет назад

Improper Verification of Cryptographic Signature in org.apache.httpcomponents:httpclient

EPSS

Процентиль: 79%

0.01367

Низкий

6.5 Medium

CVSS3

6.4 Medium

CVSS2