The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Apache Commons HttpClient

computer vulnerability bulletin CVE-2014-3577

Apache HttpComponents HttpClient: erroneous certificate validation

Synthesis of the vulnerability

An attacker can create an SSL certificate which wille be wrongly validated by Apache HttpComponents HttpClient, in order to capture traffic and bypass encryption.
Impacted products: Apache HttpClient, Fedora, RHEL, Red Hat JBoss EAP.
Severity: 1/4.
Creation date: 18/08/2014.
Identifiers: CVE-2014-3577, FEDORA-2014-9539, FEDORA-2014-9581, FEDORA-2014-9617, FEDORA-2014-9629, RHSA-2014:1082-01, RHSA-2014:1146-01, RHSA-2014:1162-01, RHSA-2014:1163-01, RHSA-2014:1166-01, RHSA-2014:1320-01, RHSA-2014:1321-01, RHSA-2014:1322-01, RHSA-2014:1323-01, RHSA-2014:1833-01, RHSA-2014:1834-01, RHSA-2014:1835-01, RHSA-2014:1836-01, RHSA-2014:1891-01, RHSA-2014:1892-01, RHSA-2014:1904-01, RHSA-2014:2019-01, RHSA-2014:2020-01, RHSA-2015:0125-01, RHSA-2015:0158-01, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0675-01, RHSA-2015:0720-01, RHSA-2015:0765-01, RHSA-2015:0850-01, RHSA-2015:0851-01, VIGILANCE-VUL-15198.

Description of the vulnerability

The HttpClient library can manage HTTP connections over SSL.

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, instead of looking the exact field subjectAltName or, for compatibility, the commonName field, the library looks fro a substring that matches the targeted server name.

This vulnerability is a variant of VIGILANCE-VUL-12182.

An attacker can therefore create an SSL certificate which will be wrongly validated by Apache HttpComponents HttpClient, in order to capture traffic and bypass encryption.
Complete Vigil@nce bulletin.... (free trial)

vulnerability note 13544

HttpClient: man in the middle of SSL

Synthesis of the vulnerability

An attacker can act as a Man in the middle in the SSL/TLS session of HttpClient, in order to capture sensitive information.
Impacted products: Apache HttpClient.
Severity: 2/4.
Creation date: 08/10/2013.
Identifiers: VIGILANCE-VUL-13544.

Description of the vulnerability

An HttpClient instance can use the X509HostnameVerifier interface to define methods to verify the domain name associated to a SSL/TLS server.

However, in version 4.3, if users do not define their own methods, HttpClient does not check the domain name.

This vulnerability is similar than VIGILANCE-VUL-12182.

An attacker can therefore act as a Man in the middle in the SSL/TLS session of HttpClient, in order to capture sensitive information.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability alert 12326

Apache HttpClient: parameter injection with addRequestHeader

Synthesis of the vulnerability

When an attacker can control the parameter of the addRequestHeader() method of Apache HttpClient, he can insert additional HTTP headers.
Impacted products: Apache HttpClient.
Severity: 1/4.
Creation date: 11/01/2013.
Identifiers: VIGILANCE-VUL-12326.

Description of the vulnerability

The HTTP protocol uses text headers separated by line feeds. For example:
  GET / HTTP/1.0
  Host: www.exemple.com
  etc.

The addRequestHeader() method of Apache HttpClient is used to add an HTTP header to a query. However, this function does not forbid line feeds. An attacker can thus use it to add several HTTP headers at once.

When an attacker can control the parameter of the addRequestHeader() method of Apache HttpClient, he can therefore insert additional HTTP headers.
Complete Vigil@nce bulletin.... (free trial)

vulnerability announce CVE-2012-5783

Apache HttpClient 3: incomplete certificate validation

Synthesis of the vulnerability

An attacker can use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Impacted products: Apache HttpClient, Fedora, OpenSAML-J, openSUSE, RHEL, Red Hat JBoss EAP.
Severity: 2/4.
Creation date: 23/11/2012.
Identifiers: BID-58073, CVE-2012-5783, FEDORA-2013-1189, FEDORA-2013-1203, FEDORA-2013-1289, HTTPCLIENT-1265, openSUSE-SU-2013:0354-1, openSUSE-SU-2013:0622-1, openSUSE-SU-2013:0623-1, openSUSE-SU-2013:0638-1, RHSA-2013:0270-01, RHSA-2013:0679-01, RHSA-2013:0680-01, RHSA-2013:0681-01, RHSA-2013:0682-01, RHSA-2013:0763-01, RHSA-2013:1006-01, RHSA-2013:1147-01, RHSA-2013:1853-01, RHSA-2014:0224-01, VIGILANCE-VUL-12182.

Description of the vulnerability

The HttpClient library can manage HTTP connections over SSL.

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, HttpClient does not check that the names included in the certificates match the one requested at HTTP level. So, any valid certificate is accepted.

An attacker can therefore use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Complete Vigil@nce bulletin.... (free trial)

computer vulnerability CVE-2011-1498

Apache HttpComponents HttpClient: obtaining proxy password

Synthesis of the vulnerability

When HttpClient connects to a proxy requiring an authentication, the login and password are sent to the remote server.
Impacted products: Apache HttpClient, Fedora.
Severity: 2/4.
Creation date: 21/03/2011.
Identifiers: BID-46974, CVE-2011-1498, FEDORA-2011-7747, VIGILANCE-VUL-10465, VU#153049.

Description of the vulnerability

The Apache HttpComponents HttpClient product implements the HTTP protocol.

An HTTP authentication uses:
 - the Authorization header to authenticate on a remote server
 - the Proxy-Authorization header to authenticate on the intermediate proxy

When SSL (https) is used, the Proxy-Authorization header is used to require the proxy to open a session to the remote server. However, HttpClient also adds the Proxy-Authorization header to the HTTP session tunneled by SSL. The remote server thus receives the login and the password of the proxy.

When HttpClient connects to a proxy requiring an authentication, the login and password are therefore sent to the remote server.
Complete Vigil@nce bulletin.... (free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Apache Commons HttpClient: