axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Levent YILDIZ (JIRA)" <axis-...@ws.apache.org>
Subject [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596
Date Fri, 03 May 2019 09:02:00 GMT

    [ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16832374#comment-16832374
] 

Levent YILDIZ commented on AXIS-2905:
-------------------------------------

Hi, I have been encountering a problem with axis compiling that contain vulnerabilities patch.

When I download source and run this maven command (mvn clean install -Duser.timezone=UTC+3)
in that time every thing is ok.
But when I apply this vulnerability patch I take "[ERROR] Failed to execute goal org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check
(default) on project axis-rt-core: Signature errors found. Verify them and put @IgnoreJRERequirement
on them. -> [Help 1]".

Also I tried a lot off different maven version and Java version but taken same error. 
And also I googled this situation but not found any solution. 
Could you please help me? 
How can I apply this patch and build?

steps:
{code:java}
$ svn checkout https://svn.apache.org/repos/asf/axis/axis1/java/trunk axis
$ wget https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch .
$ cd axis
$ patch axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java ../CVE-2014-3596.patch
$ mvn clean install -Duser.timezone=UTC
{code}
Tolls and JDK versions
{code:java}
$ mvn -v
{code}
{code:java}
Java HotSpot(TM) 64-Bit Server VM warning: ignoring option PermSize=1024m; support was removed
in 8.0 Apache Maven 3.0.4 (r1232337; 2012-01-17 10:44:56+0200) Maven home: /Users/levent.yildiz/development/tools/maven-3.0.4
Java version: 1.8.0_171, vendor: Oracle Corporation Java home: /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre
Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "10.13.6", arch:
"x86_64", family: "mac"
{code}
 
{code:java}
$ sw_vers
{code}
{code:java}
 ProductName:    Mac OS X ProductVersion:    10.13.6 BuildVersion:    17G4015
{code}
 
{code:java}
$ ant -version
{code}
{code:java}
Apache Ant version 1.5.3 compiled on April 16 2003
{code}
 

> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
>                 Key: AXIS-2905
>                 URL: https://issues.apache.org/jira/browse/AXIS-2905
>             Project: Axis
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: David Jorm
>            Priority: Major
>         Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that
the server hostname matches the domain name in the subject's CN field was flawed. This can
be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate
using a specially crafted subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message