Uploaded image for project: 'Axis'
  1. Axis
  2. AXIS-2905

Insecure certificate validation CVE-2014-3596

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.4
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.

      For more details, see:

      https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
      https://access.redhat.com/solutions/1164433

        Attachments

        1. CVE-2014-3596.patch
          12 kB
          David Jorm

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                dfj David Jorm
              • Votes:
                2 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: