Server Hostname Verification Issue in Apache Commons HttpClient
CVE-2012-6153

Currently unrated

Key Information:

Vendor: Apache
Status: Commons-httpclient
Vendor: CVE Published:; 4 September 2014

Summary

The Apache Commons HttpClient library prior to version 4.2.3 contains a flaw in the hostname verification process. The implementation fails to accurately check if the server's hostname corresponds to the domain name specified in the X.509 certificate’s Common Name (CN) or subjectAltName fields. This exposes the application to man-in-the-middle attacks, where malicious actors can exploit this weakness to present fraudulent SSL certificates, enabling them to masquerade as legitimate servers. This vulnerability exists due to an incomplete fix associated with a previous advisory.

References

http://rhn.redhat.com/errata/RHSA-2014-1891.html

vendor-advisoryx_refsource_REDHAT

http://rhn.redhat.com/errata/RHSA-2015-0765.html

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/solutions/1165533

x_refsource_CONFIRM

Timeline

Vulnerability published
Sep 4, 2014
Vulnerability Reserved
Dec 6, 2012