axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nilesh Shinde (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5757) Version of httpclient bundled in axis2-1.7.1 is exposed to to the vulnerability CVE-2012-6153, CVE-2014-3577
Date Thu, 13 Apr 2017 04:03:41 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15967085#comment-15967085
] 

Nilesh Shinde commented on AXIS2-5757:
--------------------------------------

Where and how I can access the builds with fixes or patch to fix these issues. I am trying
to refer the link shared here, yet the link not working.
NOT WORKING : https://builds.apache.org/job/axis2-1.7/72/

Why I need this: 

CVE-2015-5262 - http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient
before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake,
which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified
vectors

CVE-2012-6153 - http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3
does not properly verify that the server hostname matches a domain name in the subject's Common
Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle
attackers to spoof SSL servers via a certificate with a subject that specifies a common name
in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix
for CVE-2012-5783

CVE-2014-3577 - org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient
before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname
matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509
certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string
in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org"
string in the O field

CVE-2012-5783 - Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service
(FPS) merchant Java SDK and other products, does not verify that the server hostname matches
a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate,
which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2011-1498 - Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with
an authenticating proxy server, sends the Proxy-Authorization header to the origin server,
which allows remote web servers to obtain sensitive information by logging this header.

Action I want to perform is upgrade to version 4.3.6+. of commons-httpclient-4.3*.*.jar, tried
to replacing it however it failed at runtime with errors as below:

ERROR [http-nio-8090-exec-1] (WarBasedAxisConfigurator.java:180) - org/apache/commons/httpclient/HttpException
org.apache.axis2.deployment.DeploymentException: org/apache/commons/httpclient/HttpException
	at org.apache.axis2.deployment.AxisConfigBuilder.processTransportSenders(AxisConfigBuilder.java:699)
	at org.apache.axis2.deployment.AxisConfigBuilder.populateConfig(AxisConfigBuilder.java:123)


> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153,
CVE-2014-3577
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: AXIS2-5757
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5757
>             Project: Axis2
>          Issue Type: Bug
>          Components: transports
>    Affects Versions: 1.4, 1.6.2, 1.6.3, 1.6.4, 1.7.0, 1.7.1
>         Environment: Axis2 used as a Web Service Provider for an application
>            Reporter: Deepak
>            Assignee: Andreas Veithen
>              Labels: security
>             Fix For: 1.7.4
>
>
> Version of httpclient bundled in axis2-1.7.1 is exposed to  to the vulnerability CVE-2012-6153,
CVE-2014-3577
> Hi
> The version of httpclient (httpclient-4.2.1.jar) bundled with axis2-1.7.1  is susceptible
to CVE-2012-6153, CVE-2014-3577 
> The Vulnerability says that the class "http/conn/ssl/AbstractVerifier.java in Apache
Commons HttpClient before 4.2.3" is vulnerability. (https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)
> What plans we have for Axis2 to address this Vulnerability. Will it be fixed in the upcoming
1.7.2 or 1.8 release or any other release. If yes, when would that be. Reason for this query
is our application uses Axis2 and and hence exposed to this vulnerability. 
> Thanks,
> Regds,
> Deepak



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message