axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sagara Gunathunga <sagara.gunathu...@gmail.com>
Subject Re: SSL vulnerability in Apache Axis2
Date Wed, 08 Aug 2012 05:46:58 GMT
Could you tell us exactly from where you heard about such SSL
vulnerability please ?

Thanks !

On Wed, Aug 8, 2012 at 10:44 AM, Zhi Xie <daxiezhi@gmail.com> wrote:
> I heard there is a SSL vulnerability about commons-httpclient-3.1. Is there
> a fix on it or a solution?
>
> The vulnerability's description is below.
>
> Axis2 implemented in Java is vulnerable to
> man-in-the-middle attacks. By extension, all applications using this
> library to establish SSL connections with the target servers are
> vulnerable. Affected applications leak all data sent over the network,
> such as login credentials, bank account numbers, personal identifiable
> information, etc. The vulnerability can be exposed in any network
> topology in which a man-in-the-middle can be deployed.
>
> In depth analysis of Axis2 shows that the middleware uses the
> commons-httpclient-3.1 library when establishing SSL connections with
> target servers. Internally, commons-httpclient-3.1 uses raw sockets to
> establish SSL connections. Per JSSE’s manual# raw sockets do not
> verify the name of the target server against the name(s) in the
> server’s SSL certificate. Since commons-httpclient-3.1 does not
> provide its own hostname verifier to compensate for this omission,
> this overhaul renders the framework and all applications built on top
> of it insecure.
>
> --
> Best Regards
> Gary
> Apache Geronimo
>



-- 
Sagara Gunathunga

Blog      - http://ssagara.blogspot.com
Web      - http://people.apache.org/~sagara/
LinkedIn - http://www.linkedin.com/in/ssagara

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message