Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2014-3596

Опубликовано: 19 авг. 2014
Источник: redhat
CVSS2: 5.8
EPSS Низкий

Описание

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

It was discovered that Axis incorrectly extracted the host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.

Отчет

Note that Axis 1 is EOL upstream, and the incomplete patch for CVE-2012-5784 was never merged upstream. It was, however, shipped by various vendors, including Debian and Red Hat. Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1164433

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Developer Toolset 2.1devtoolset-2-axisNot affected
Red Hat Enterprise Virtualization 3jasperreports-server-proAffected
Red Hat JBoss Portal 5axisAffected
Red Hat Enterprise Linux 5axisFixedRHSA-2014:119315.09.2014
Red Hat Enterprise Linux 6axisFixedRHSA-2014:119315.09.2014
Red Hat JBoss Portal 6.2axisFixedRHSA-2015:101014.05.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-297
https://bugzilla.redhat.com/show_bug.cgi?id=1129935axis: SSL hostname verification bypass, incomplete CVE-2012-5784 fix

EPSS

Процентиль: 78%
0.01225
Низкий

5.8 Medium

CVSS2

Связанные уязвимости

ubuntu логотип

CVE-2014-3596

ubuntu
почти 11 лет назад

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

nvd логотип

CVE-2014-3596

nvd
почти 11 лет назад

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

debian логотип

CVE-2014-3596

debian
почти 11 лет назад

The getCN function in Apache Axis 1.4 and earlier does not properly ve ...

github логотип

GHSA-r53v-vm87-f72c

github
почти 7 лет назад

Improper Validation of Certificates in apache axis

oracle-oval логотип

ELSA-2014-1193

oracle-oval
почти 11 лет назад

ELSA-2014-1193: axis security update (IMPORTANT)

EPSS

Процентиль: 78%
0.01225
Низкий

5.8 Medium

CVSS2