Описание
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss BRMS 5 | smack | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-6 | Under investigation | ||
| Red Hat JBoss Enterprise Web Server 1 | fuse-esb-7 | Under investigation | ||
| Red Hat JBoss Fuse 6.2 | Fixed | RHSA-2015:1176 | 23.06.2015 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.8 Medium
CVSS2
Связанные уязвимости
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x w ...
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
EPSS
5.8 Medium
CVSS2