SSL Spoofing Vulnerability in Apache Axis Products
CVE-2012-5784

Currently unrated

Key Information:

Vendor: Apache
Status: Axis; Mass Pay; Transactional Information Soap; Payments Pro
Vendor: CVE Published:; 4 November 2012

Summary

The vulnerability arises from Apache Axis and related products failing to ensure that the server hostname matches the domain specified in the X.509 certificate's Common Name (CN) or subjectAltName field. This oversight can be exploited by attackers to perform man-in-the-middle attacks, enabling them to impersonate legitimate SSL servers with valid certificates, consequently jeopardizing the integrity and confidentiality of sensitive data being transmitted.

References

http://rhn.redhat.com/errata/RHSA-2013-0269.html

vendor-advisoryx_refsource_REDHAT

http://rhn.redhat.com/errata/RHSA-2014-0037.html

vendor-advisoryx_refsource_REDHAT

http://secunia.com/advisories/51219

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability published
Nov 4, 2012
Vulnerability Reserved
Nov 4, 2012