| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them. |
|
 |
|
|
Synthesis of the vulnerability 
An attacker can use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
 Vulnerable systems: Apache HttpClient, Fedora, Notes by IBM, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, openSUSE, RHEL, JBoss EAP by Red Hat, Ubuntu.
Severity of this threat: 2/4.
Creation date: 23/11/2012.
Références of this weakness: 2016216, BID-58073, CVE-2012-5783, FEDORA-2013-1189, FEDORA-2013-1203, FEDORA-2013-1289, HTTPCLIENT-1265, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, KB0086419, openSUSE-SU-2013:0354-1, openSUSE-SU-2013:0622-1, openSUSE-SU-2013:0623-1, openSUSE-SU-2013:0638-1, RHSA-2013:0270-01, RHSA-2013:0679-01, RHSA-2013:0680-01, RHSA-2013:0681-01, RHSA-2013:0682-01, RHSA-2013:0763-01, RHSA-2013:1006-01, RHSA-2013:1147-01, RHSA-2013:1853-01, RHSA-2014:0224-01, RHSA-2017:0868-01, swg22017526, USN-2769-1, VIGILANCE-VUL-12182.
Description of the vulnerability 
The HttpClient library can manage HTTP connections over SSL.
In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, HttpClient does not check that the names included in the certificates match the one requested at HTTP level. So, any valid certificate is accepted.
An attacker can therefore use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)
This computer threat alert impacts software or systems such as Apache HttpClient, Fedora, Notes by IBM, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, openSUSE, RHEL, JBoss EAP by Red Hat, Ubuntu.
Our Vigil@nce team determined that the severity of this weakness announce is medium.
The trust level is of type confirmed by the editor, with an origin of internet server.
A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer weakness bulletin.
Solutions for this threat 
Apache HttpClient 3: patch for SSL certificate validation.
A patch is available in information sources.
Fedora: new jakarta-commons-httpclient packages.
New packages are available:
jakarta-commons-httpclient-3.1-12.fc16
jakarta-commons-httpclient-3.1-12.fc17
jakarta-commons-httpclient-3.1-12.fc18
HCL Notes: fixed versions for Multiple Components.
Fixed versions are indicated in information sources.
IBM Tivoli System Automation Application Manager: solution for WebSphere AS.
The solution is indicated in information sources.
IBM WebSphere AS: patch for Apache Commons HttpClient.
A patch is indicated in information sources.
JBoss: solution for jakarta-commons-httpclient.
A solution is available in information sources.
JBoss Web Framework Kit: version 2.2.0.
The version 2.2.0 is fixed:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions
openSUSE: new jakarta-commons-httpclient3 packages.
New packages are available:
openSUSE 12.1 : jakarta-commons-httpclient3-3.0.1-313.6.1
openSUSE 12.2 : jakarta-commons-httpclient-3.1-2.6.1
openSUSE: new jakarta-commons-httpclient packages.
New packages are available:
openSUSE 11.4 : jakarta-commons-httpclient3-3.0.1-313.1
openSUSE 12.1 : jakarta-commons-httpclient3-3.0.1-313.10.1
openSUSE 12.2 : jakarta-commons-httpclient-3.1-2.10.1
openSUSE 12.3 : jakarta-commons-httpclient-3.1-4.5.1
Red Hat Enterprise Virtualization: new redhat-support-plugin-rhev packages.
New packages are available:
RHEL 6: redhat-support-plugin-rhev 3.3.0-14.el6ev
Red Hat JBoss BRMS: version 5.3.1 roll up patch 2.
The version JBoss BRMS 5.3.1 roll up patch 2 is fixed:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1
Red Hat JBoss Fuse/A-MQ: version 6.3 R2.
The version 6.3 R2 is fixed:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3.0
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.3.0
Red Hat JBoss Operations Network: version 3.2.0.
The version 3.2.0 is fixed:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.2.0
Red Hat JBoss SOA Platform: version 5.3.1 roll up patch 3.
The version 5.3.1 roll up patch 3 is fixed:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.3.1+GA
RHEL: new jakarta-commons-httpclient packages.
New packages are available:
jakarta-commons-httpclient-3.0-7jpp.2
jakarta-commons-httpclient-3.1-0.7.el6_3
Rundeck: version 3.3.12.
The version 3.3.12 is fixed:
https://docs.rundeck.com/downloads.html
Ubuntu: new libcommons-httpclient-java packages.
New packages are available:
Ubuntu 15.04: libcommons-httpclient-java 3.1-10.2ubuntu0.15.04.1
Ubuntu 14.04 LTS: libcommons-httpclient-java 3.1-10.2ubuntu0.14.04.1
Ubuntu 12.04 LTS: libcommons-httpclient-java 3.1-10ubuntu0.1
WebSphere Enterprise Service: solution for Apache HttpClient.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)
Computer vulnerabilities tracking service 
Vigil@nce provides an application vulnerability note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.
|