The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of HttpClient: man in the middle of SSL

Synthesis of the vulnerability 

An attacker can act as a Man in the middle in the SSL/TLS session of HttpClient, in order to capture sensitive information.
Vulnerable systems: Apache HttpClient.
Severity of this threat: 2/4.
Creation date: 08/10/2013.
Références of this weakness: CST-7122, CST-7123, CST-7124, CST-7125, CST-7126, CST-7127, CST-7128, CST-7129, CST-7130, CST-7131, CVE-2013-4366, VIGILANCE-VUL-13544.

Description of the vulnerability 

An HttpClient instance can use the X509HostnameVerifier interface to define methods to verify the domain name associated to a SSL/TLS server.

However, in version 4.3, if users do not define their own methods, HttpClient does not check the domain name.

This vulnerability is similar than VIGILANCE-VUL-12182.

An attacker can therefore act as a Man in the middle in the SSL/TLS session of HttpClient, in order to capture sensitive information.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This security bulletin impacts software or systems such as Apache HttpClient.

Our Vigil@nce team determined that the severity of this cybersecurity announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this vulnerability alert.

Solutions for this threat 

HttpClient: version 4.3.1.
The version 4.3.1 is fixed:
  http://hc.apache.org/downloads.cgi

Liferay Portal: version 7.1.3 CE GA 4.
The version 7.1.3 CE GA 4 is fixed.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security database. The technology watch team tracks security threats targeting the computer system.