The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache HttpClient 3: incomplete certificate validation

Synthesis of the vulnerability 

An attacker can use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Vulnerable systems: Apache HttpClient, Fedora, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, openSUSE, RHEL, JBoss EAP by Red Hat, Ubuntu.
Severity of this threat: 2/4.
Creation date: 23/11/2012.
Références of this weakness: 2016216, BID-58073, CVE-2012-5783, FEDORA-2013-1189, FEDORA-2013-1203, FEDORA-2013-1289, HTTPCLIENT-1265, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, openSUSE-SU-2013:0354-1, openSUSE-SU-2013:0622-1, openSUSE-SU-2013:0623-1, openSUSE-SU-2013:0638-1, RHSA-2013:0270-01, RHSA-2013:0679-01, RHSA-2013:0680-01, RHSA-2013:0681-01, RHSA-2013:0682-01, RHSA-2013:0763-01, RHSA-2013:1006-01, RHSA-2013:1147-01, RHSA-2013:1853-01, RHSA-2014:0224-01, RHSA-2017:0868-01, swg22017526, USN-2769-1, VIGILANCE-VUL-12182.

Description of the vulnerability 

The HttpClient library can manage HTTP connections over SSL.

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, HttpClient does not check that the names included in the certificates match the one requested at HTTP level. So, any valid certificate is accepted.

An attacker can therefore use any valid certificate on a malicious server, and then invite an Apache HttpClient 3 to connect there, in order to spy communications even if encryption is used.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat alert impacts software or systems such as Apache HttpClient, Fedora, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, openSUSE, RHEL, JBoss EAP by Red Hat, Ubuntu.

Our Vigil@nce team determined that the severity of this weakness announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer weakness bulletin.

Solutions for this threat 

Apache HttpClient 3: patch for SSL certificate validation.
A patch is available in information sources.

Fedora: new jakarta-commons-httpclient packages.
New packages are available:
  jakarta-commons-httpclient-3.1-12.fc16
  jakarta-commons-httpclient-3.1-12.fc17
  jakarta-commons-httpclient-3.1-12.fc18

IBM Tivoli System Automation Application Manager: solution for WebSphere AS.
The solution is indicated in information sources.

IBM WebSphere AS: patch for Apache Commons HttpClient.
A patch is indicated in information sources.

JBoss: solution for jakarta-commons-httpclient.
A solution is available in information sources.

JBoss Web Framework Kit: version 2.2.0.
The version 2.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions

openSUSE: new jakarta-commons-httpclient3 packages.
New packages are available:
  openSUSE 12.1 : jakarta-commons-httpclient3-3.0.1-313.6.1
  openSUSE 12.2 : jakarta-commons-httpclient-3.1-2.6.1

openSUSE: new jakarta-commons-httpclient packages.
New packages are available:
  openSUSE 11.4 : jakarta-commons-httpclient3-3.0.1-313.1
  openSUSE 12.1 : jakarta-commons-httpclient3-3.0.1-313.10.1
  openSUSE 12.2 : jakarta-commons-httpclient-3.1-2.10.1
  openSUSE 12.3 : jakarta-commons-httpclient-3.1-4.5.1

Red Hat Enterprise Virtualization: new redhat-support-plugin-rhev packages.
New packages are available:
  RHEL 6: redhat-support-plugin-rhev 3.3.0-14.el6ev

Red Hat JBoss BRMS: version 5.3.1 roll up patch 2.
The version JBoss BRMS 5.3.1 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=securityPatches&version=5.3.1

Red Hat JBoss Fuse/A-MQ: version 6.3 R2.
The version 6.3 R2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.3.0

Red Hat JBoss Operations Network: version 3.2.0.
The version 3.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=em&version=3.2.0

Red Hat JBoss SOA Platform: version 5.3.1 roll up patch 3.
The version 5.3.1 roll up patch 3 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=soaplatform&downloadType=securityPatches&version=5.3.1+GA

RHEL: new jakarta-commons-httpclient packages.
New packages are available:
  jakarta-commons-httpclient-3.0-7jpp.2
  jakarta-commons-httpclient-3.1-0.7.el6_3

Ubuntu: new libcommons-httpclient-java packages.
New packages are available:
  Ubuntu 15.04: libcommons-httpclient-java 3.1-10.2ubuntu0.15.04.1
  Ubuntu 14.04 LTS: libcommons-httpclient-java 3.1-10.2ubuntu0.14.04.1
  Ubuntu 12.04 LTS: libcommons-httpclient-java 3.1-10ubuntu0.1

WebSphere Enterprise Service: solution for Apache HttpClient.
The solution is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability note. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.