Uploaded image for project: 'Axis'
  1. Axis
  2. AXIS-2905

Insecure certificate validation CVE-2014-3596

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.4
    • None
    • None
    • None

    Description

      It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.

      For more details, see:

      https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
      https://access.redhat.com/solutions/1164433

      Attachments

        1. CVE-2014-3596.patch
          12 kB
          David Jorm

        Issue Links

          supercedes

          Bug - A problem which impairs or prevents the functions of the product. AXIS-2883 Insecure certificate validation CVE-2012-5784

          • Major - Major loss of function.
          • Closed

          Activity

            People

              robertlazarski Robert Lazarski
              dfj David Jorm
              Votes:
              2 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: