axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zhi Xie <>
Subject SSL vulnerability in Apache Axis2
Date Wed, 08 Aug 2012 05:14:02 GMT
I heard there is a SSL vulnerability about commons-httpclient-3.1. Is there
a fix on it or a solution?

The vulnerability's description is below.

Axis2 implemented in Java is vulnerable to
man-in-the-middle attacks. By extension, all applications using this
library to establish SSL connections with the target servers are
vulnerable. Affected applications leak all data sent over the network,
such as login credentials, bank account numbers, personal identifiable
information, etc. The vulnerability can be exposed in any network
topology in which a man-in-the-middle can be deployed.

In depth analysis of Axis2 shows that the middleware uses the
commons-httpclient-3.1 library when establishing SSL connections with
target servers. Internally, commons-httpclient-3.1 uses raw sockets to
establish SSL connections. Per JSSE’s manual# raw sockets do not
verify the name of the target server against the name(s) in the
server’s SSL certificate. Since commons-httpclient-3.1 does not
provide its own hostname verifier to compensate for this omission,
this overhaul renders the framework and all applications built on top
of it insecure.

Best Regards
Apache Geronimo

View raw message