Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 520200 (CVE-2014-3577) - <dev-java/httpcomponents-core-4.4.1: Hostname verification susceptible to MITM attack (CVE-2014-3577)
Summary: <dev-java/httpcomponents-core-4.4.1: Hostname verification susceptible to MIT...
Alias: CVE-2014-3577
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
Whiteboard: ~4 [noglsa]
Depends on: 552566
  Show dependency tree
Reported: 2014-08-18 16:59 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2015-06-26 08:04 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-18 16:59:00 UTC
From ${URL}:
Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible 
to a 'Man in the Middle Attack' due to a flaw in the default hostname 
verification during SSL/TLS when a specially crafted server side 
certificate is used.


- -------

A man-in-the-middle can interpose itself between the server and the
code using an affected version of Apache HttpComponents as a client.

Leading to complete loss of end to end confidentiality and end to 
end integrety of the connection.

Versions affected: 
- ------------------
All versions prior to HttpClient 4.3.5 (including the Android port) 
and HttpAsyncClient 4.0.2. The fix was introduced in these versions.|org.apache.httpcomponents|

These have been silently pushed out to Maven central and Apache Dist 
as of 2014-08-1. An Android build was released on 2014-08-15.

- ----------

A fix has been applied as of revision 1614065 and is part of release 
HttpClient 4.3.5 (including HttpClient port for Android against the
official Google Android SDK)and HttpClient (async) 4.0.2.

Upgrading to these versions newer resolves this issue.

Mitigations and work arounds
- ----------------------------

If upgrading to version 4.3.5/4.0.2 is not an option; one could change 
the default org.apache.http.conn.ssl.AbstractVerifier of earlier 
versions for revision 1614065 of newer.

Note that exploitation of this flaw also requires some level of DNS or
IP spoofing (or existing 'in the middle infrastructure' such as a corporate
proxy or other TCP level equipment en-route). This need may allow for site 
specific alternative mitigations.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2015-01-04 00:53:51 UTC
CVE-2014-3577 (
  org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents
  HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly
  verify that the server hostname matches a domain name in the subject's
  Common Name (CN) or subjectAltName field of the X.509 certificate, which
  allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string
  in a field in the distinguished name (DN) of a certificate, as demonstrated
  by the "foo," string in the O field.
Comment 2 Patrice Clement gentoo-dev 2015-06-19 17:05:01 UTC
+*httpcomponents-core-4.4.1 (19 Jun 2015)
+  19 Jun 2015; Patrice Clement <>
+  +files/httpcomponents-core-4.4.1-httpcore-build.xml,
+  +files/httpcomponents-core-4.4.1-httpcore-nio-build.xml,
+  +httpcomponents-core-4.4.1.ebuild:
+  Version bump. Fix security bug 520200.

Arch teams,

Please stabilise:

Target arches:
amd64 x86

Comment 3 Agostino Sarubbo gentoo-dev 2015-06-23 15:25:05 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-06-23 15:25:33 UTC
x86 stable.

Maintainer(s), please cleanup.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-06-23 15:27:35 UTC
Package never stabilized, setting noglsa. Maintainer, please close the bug after cleanup
Comment 6 Patrice Clement gentoo-dev 2015-06-26 08:04:02 UTC
+  26 Jun 2015; Patrice Clement <>
+  -httpcomponents-client-4.3.1-r1.ebuild:
+  Remove vulnerable version. Fix security bug 520200.

+  26 Jun 2015; Patrice Clement <>
+  -httpcomponents-core-4.2.4.ebuild, -httpcomponents-core-4.3.ebuild,
+  -httpcomponents-core-4.4.1.ebuild:
+  Remove vulnerable versions. Fix security bug 520200.

I had to revbump and stabilise httpcomponents-core-4.4.1-r1.ebuild. See bug 553234 for more info. Closing this bug as per Kristian's comment.