Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 441904 (CVE-2012-5784) - www-servers/axis: Does not verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate (CVE-2012-5784)
Summary: www-servers/axis: Does not verify that the server hostname matches a domain n...
Status: RESOLVED FIXED
Alias: CVE-2012-5784
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://nvd.nist.gov/nvd.cfm?cvename=C...
Whiteboard: B4 [noglsa]
Keywords:
Depends on: CVE-2014-3596
Blocks:
  Show dependency tree
 
Reported: 2012-11-05 17:39 UTC by Agostino Sarubbo
Modified: 2015-06-16 02:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-05 17:39:41 UTC 
From https://bugzilla.redhat.com/show_bug.cgi?id=873252 :

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5784 to the following 
vulnerability:

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional 
Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, 
does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or 
subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof 
SSL servers via an arbitrary valid certificate.

References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-11-07 23:35:43 UTC 
CVE-2012-5784 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5784):
  Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass
  Pay, PayPal Transactional Information SOAP, the Java Message Service
  implementation in Apache ActiveMQ, and other products, does not verify that
  the server hostname matches a domain name in the subject's Common Name (CN)
  or subjectAltName field of the X.509 certificate, which allows
  man-in-the-middle attackers to spoof SSL servers via an arbitrary valid
  certificate.
Comment 2 Patrice Clement gentoo-dev 2015-06-14 23:43:07 UTC 
I can't (or actually won't) mark this security bug as a DUPLICATE to avoid getting into troubles but this is a duplicate of bug 520304.

You can read in the 1st comment posted by Ago:

"From ${URL} :

It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject."

The aformentioned bug is undergoing stabilisation.

@security team: please close this bug.
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-06-15 01:54:01 UTC 
(In reply to Patrice Clement from comment #2)
> I can't (or actually won't) mark this security bug as a DUPLICATE to avoid
> getting into troubles but this is a duplicate of bug 520304.

Actually bug 520304 is a fix of the incomplete bug that was part of this one. I am setting the dependency on bug the other bug since the secondary bug will fix both.
Comment 4 Yury German Gentoo Infrastructure gentoo-dev 2015-06-16 02:53:08 UTC 
closing bug with Bug 520304 as it was voted no for the same vulnerability.

Thank you all.