CVE-2014-3604

Опубликовано: 22 авг. 2014

Источник: redhat

CVSS2: 5.8

EPSS Низкий

Описание

Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

It was discovered that the implementation used by the Not Yet Commons SSL project to check that the server hostname matches the domain name in the subject's CN field was flawed. This could be exploited by a man-in-the-middle attacker by spoofing a valid certificate using a specially crafted subject.

Отчет

Red Hat JBoss SOA Platform 4 is now in Phase 3, Extended Life Support, of its life cycle. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat JBoss SOA Platform 4	commons-ssl	Will not fix
Red Hat JBoss SOA Platform 5.3	commons-ssl	Fixed	RHSA-2015:1888	12.10.2015

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important

Дефект:

CWE-228->CWE-297

https://bugzilla.redhat.com/show_bug.cgi?id=1131803SSL: Hostname verification susceptible to MITM attack

EPSS

Процентиль: 43%

0.00205

Низкий

5.8 Medium

CVSS2

Связанные уязвимости

CVE-2014-3604

ubuntu

больше 11 лет назад

CVE-2014-3604

nvd

больше 11 лет назад

CVE-2014-3604

debian

больше 11 лет назад

Certificates.java in Not Yet Commons SSL before 0.3.15 does not proper ...

GHSA-cmxj-wx9v-52qr

github

больше 3 лет назад

Improper Validation of Certificate with Host Mismatch in Not Yet Commons SSL

EPSS

Процентиль: 43%

0.00205

Низкий

5.8 Medium

CVSS2