Uploaded image for project: 'Axis'
  1. Axis
  2. AXIS-2905

Insecure certificate validation CVE-2014-3596

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 1.4
    • None
    • None
    • None

    Description

      It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.

      For more details, see:

      https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
      https://access.redhat.com/solutions/1164433

      Attachments

        Issue Links

        supercedes

        Bug - A problem which impairs or prevents the functions of the product. AXIS-2883 Insecure certificate validation CVE-2012-5784

        • Major - Major loss of function.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            robertlazarski Robert Lazarski
            dfj David Jorm
            Votes:
            2 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment