axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sagara Gunathunga <>
Subject Re: SSL vulnerability in Apache Axis2
Date Wed, 08 Aug 2012 05:46:58 GMT
Could you tell us exactly from where you heard about such SSL
vulnerability please ?

Thanks !

On Wed, Aug 8, 2012 at 10:44 AM, Zhi Xie <> wrote:
> I heard there is a SSL vulnerability about commons-httpclient-3.1. Is there
> a fix on it or a solution?
> The vulnerability's description is below.
> Axis2 implemented in Java is vulnerable to
> man-in-the-middle attacks. By extension, all applications using this
> library to establish SSL connections with the target servers are
> vulnerable. Affected applications leak all data sent over the network,
> such as login credentials, bank account numbers, personal identifiable
> information, etc. The vulnerability can be exposed in any network
> topology in which a man-in-the-middle can be deployed.
> In depth analysis of Axis2 shows that the middleware uses the
> commons-httpclient-3.1 library when establishing SSL connections with
> target servers. Internally, commons-httpclient-3.1 uses raw sockets to
> establish SSL connections. Per JSSE’s manual# raw sockets do not
> verify the name of the target server against the name(s) in the
> server’s SSL certificate. Since commons-httpclient-3.1 does not
> provide its own hostname verifier to compensate for this omission,
> this overhaul renders the framework and all applications built on top
> of it insecure.
> --
> Best Regards
> Gary
> Apache Geronimo

Sagara Gunathunga

Blog      -
Web      -
LinkedIn -

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message