The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache HttpComponents HttpClient: obtaining proxy password

Synthesis of the vulnerability 

When HttpClient connects to a proxy requiring an authentication, the login and password are sent to the remote server.
Vulnerable software: Apache HttpClient, Fedora, QRadar SIEM.
Severity of this announce: 2/4.
Creation date: 21/03/2011.
Références of this computer vulnerability: 2015815, BID-46974, CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2011-1498, FEDORA-2011-7747, VIGILANCE-VUL-10465, VU#153049.

Description of the vulnerability 

The Apache HttpComponents HttpClient product implements the HTTP protocol.

An HTTP authentication uses:
 - the Authorization header to authenticate on a remote server
 - the Proxy-Authorization header to authenticate on the intermediate proxy

When SSL (https) is used, the Proxy-Authorization header is used to require the proxy to open a session to the remote server. However, HttpClient also adds the Proxy-Authorization header to the HTTP session tunneled by SSL. The remote server thus receives the login and the password of the proxy.

When HttpClient connects to a proxy requiring an authentication, the login and password are therefore sent to the remote server.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity bulletin impacts software or systems such as Apache HttpClient, Fedora, QRadar SIEM.

Our Vigil@nce team determined that the severity of this cybersecurity weakness is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer vulnerability bulletin.

Solutions for this threat 

Apache HttpComponents HttpClient: version 4.1.1.
The version 4.1.1 is corrected:
  http://hc.apache.org/downloads.cgi

Fedora 15: new httpcomponents-client packages.
New packages are available:
  httpcomponents-client-4.1.1-2.fc15

IBM QRadar SIEM: fixed versions for Apache HttpComponents HttpClient.
Fixed versions are indicated in information sources.

Liferay Portal: version 7.1.3 CE GA 4.
The version 7.1.3 CE GA 4 is fixed.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides systems vulnerabilities bulletins. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.