The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache HttpComponents HttpClient: erroneous certificate validation

Synthesis of the vulnerability 

An attacker can create an SSL certificate which will be wrongly validated by Apache HttpComponents HttpClient, in order to capture traffic and bypass encryption.
Vulnerable products: Apache HttpClient, Fedora, HPE NNMi, QRadar SIEM, WebSphere AS Traditional, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Ubuntu.
Severity of this weakness: 1/4.
Creation date: 18/08/2014.
Références of this bulletin: 2015815, 7036319, c05103564, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2014-3577, FEDORA-2014-9539, FEDORA-2014-9581, FEDORA-2014-9617, FEDORA-2014-9629, HPSBMU03584, RHSA-2014:1082-01, RHSA-2014:1146-01, RHSA-2014:1162-01, RHSA-2014:1163-01, RHSA-2014:1166-01, RHSA-2014:1320-01, RHSA-2014:1321-01, RHSA-2014:1322-01, RHSA-2014:1323-01, RHSA-2014:1833-01, RHSA-2014:1834-01, RHSA-2014:1835-01, RHSA-2014:1836-01, RHSA-2014:1891-01, RHSA-2014:1892-01, RHSA-2014:1904-01, RHSA-2014:2019-01, RHSA-2014:2020-01, RHSA-2015:0125-01, RHSA-2015:0158-01, RHSA-2015:0234-01, RHSA-2015:0235-01, RHSA-2015:0675-01, RHSA-2015:0720-01, RHSA-2015:0765-01, RHSA-2015:0850-01, RHSA-2015:0851-01, RHSA-2015:1009, RHSA-2015:1176-01, RHSA-2015:1177-01, RHSA-2016:1931-01, USN-2769-1, VIGILANCE-VUL-15198.

Description of the vulnerability 

The HttpClient library can manage HTTP connections over SSL.

In order to authenticate a server, the client must check the certificate (cryptographic signatures, validity date range, etc.) and also that the received certificate matches the visited server. This check is usually done on DNS names, or sometimes on IP addresses. However, instead of looking the exact field subjectAltName or, for compatibility, the commonName field, the library looks fro a substring that matches the targeted server name.

This vulnerability is a variant of VIGILANCE-VUL-12182.

An attacker can therefore create an SSL certificate which will be wrongly validated by Apache HttpComponents HttpClient, in order to capture traffic and bypass encryption.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security alert impacts software or systems such as Apache HttpClient, Fedora, HPE NNMi, QRadar SIEM, WebSphere AS Traditional, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS BI Server, SAS Enterprise Guide, SAS Grid Computing, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/INSIGHT, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Ubuntu.

Our Vigil@nce team determined that the severity of this security weakness is low.

The trust level is of type confirmed by the editor, with an origin of internet server.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this security announce.

Solutions for this threat 

Apache HttpComponents HttpClient: version 4.3.5.
The version 4.3.5 is fixed.

Fedora: new httpcomponents-client packages.
New packages are available:
  Fedora 19: httpcomponents-client 4.2.5-4.fc19
  Fedora 20: httpcomponents-client 4.2.5-4.fc20

Fedora: new jakarta-commons-httpclient packages.
New packages are available:
  Fedora 19: jakarta-commons-httpclient 3.1-15.fc19
  Fedora 20: jakarta-commons-httpclient 3.1-15.fc20

HP NNMi: patch.
A patch is indicated in information sources.

IBM QRadar SIEM: fixed versions for Apache HttpComponents HttpClient.
Fixed versions are indicated in information sources.

Liferay Portal: version 7.1.3 CE GA 4.
The version 7.1.3 CE GA 4 is fixed.

Red Hat JBoss A-MQ: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=distributions&version=6.2.0

Red Hat JBoss A-MQ: version 6.2.1 Rollup Patch 4.
The version 6.2.1 Rollup Patch 4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.amq&downloadType=securityPatches&version=6.2.1

Red Hat JBoss BPM/BRMS: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.1.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.1.0

Red Hat JBoss BPM Suite: version 6.0.3 roll up patch 2.
The version 6.0.3 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3

Red Hat JBoss BRMS/BPM Suite: version 6.0.3 roll up patch 1.
The version 6.0.3 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=bpm.suite&downloadType=distributions&version=6.0.3
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3

Red Hat JBoss BRMS: version 6.0.3 roll up patch 2.
The version 6.0.3 roll up patch 2 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=brms&downloadType=distributions&version=6.0.3

Red Hat JBoss Data Virtualization: version 6.0.0 2015 roll up patch 1.
The version 6.0.0 2015 roll up patch 1 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=securityPatches&version=6.0.0

Red Hat JBoss Data Virtualization: version 6.1.0.
The version 6.1.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=data.services.platform&downloadType=distributions&version=6.1.0

Red Hat JBoss EAP: new apache packages.
New packages are available:
  RHEL 5: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el5, wss4j 1.6.16-2.redhat_3.1.ep6.el5
  RHEL 6: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el6, wss4j 1.6.16-2.redhat_3.1.ep6.el6
  RHEL 7: apache-cxf 2.7.12-1.SP1_redhat_5.1.ep6.el7, wss4j 1.6.16-2.redhat_3.1.ep6.el7

Red Hat JBoss EAP: patch for Apache.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

Red Hat JBoss Enterprise Web Platform: solution for HttpComponents.
The solution is indicated in information sources.

Red Hat JBoss Fuse Service Works: version 6.0.0 roll up patch 4.
The version 6.0.0 roll up patch 4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse.serviceworks&downloadType=securityPatches&version=6.0.0

Red Hat JBoss Fuse: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=distributions&version=6.2.0

Red Hat JBoss Fuse: version 6.2.1 Rollup Patch 4.
The version 6.2.1 Rollup Patch 4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.2.1

Red Hat JBoss: new httpcomponents-eap6-6-12.redhat packages.
New packages are available:
  RHEL 5: httpcomponents-eap6-6-12.redhat 2.1.ep6.el5
  RHEL 6: httpcomponents-eap6-6-12.redhat 2.1.ep6.el6
  RHEL 7: httpcomponents-eap6-6-12.redhat 2.1.ep6.el7

Red Hat JBoss Operations Network: version 3.2.3.
The version 3.2.3 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=em&downloadType=securityPatches&version=3.3.0

Red Hat JBoss: patch for HttpComponents.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=6.3

Red Hat JBoss Portal: version 6.2.0.
The version 6.2.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions

Red Hat JBoss: solution for Apache CXF.
The solution is indicated in information sources.

Red Hat JBoss Web Framework Kit: version 2.7.0.
The version 2.7.0 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=web.framework.kit&downloadType=distributions

Red Hat Software Collections: new thermostat1-httpcomponents-client packages.
New packages are available:
  RHEL 6: thermostat1-httpcomponents-client 4.2.5-3.4.el6.1

RHEL 6 RHEV-M: new rhevm packages.
New packages are available:
  RHEL 6: rhevm 3.5.0-0.29.el6ev

RHEL 7.0: new httpcomponents-client packages.
New packages are available:
  RHEL 7: httpcomponents-client 4.2.5-5.el7_0

RHEL: new jakarta-commons-httpclient packages.
New packages are available:
  RHEL 5: jakarta-commons-httpclient 3.0-7jpp.4.el5_10
  RHEL 6: jakarta-commons-httpclient 3.1-0.9.el6_5
  RHEL 7: jakarta-commons-httpclient 3.1-16.el7_0

SAS: Security Update 2020-08.
A patch is available:
  https://tshf.sas.com/techsup/download/hotfix/HF2/SAS_Security_Updates.html

Ubuntu: new libcommons-httpclient-java packages.
New packages are available:
  Ubuntu 15.04: libcommons-httpclient-java 3.1-10.2ubuntu0.15.04.1
  Ubuntu 14.04 LTS: libcommons-httpclient-java 3.1-10.2ubuntu0.14.04.1
  Ubuntu 12.04 LTS: libcommons-httpclient-java 3.1-10ubuntu0.1

WebSphere AS: version 8.5.5.9.
The version 8.5.5.9 is fixed:
  http://www.ibm.com/support/docview.wss?uid=swg24041819
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security watch. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.