Improper Handling of NUL Byte in SSL Certificate Common Name Field in Serf by Apache
CVE-2014-3504

Currently unrated

Key Information:

Vendor: Apache
Status: Subversion
Vendor: CVE Published:; 19 August 2014

Summary

The Serf library versions 0.2.0 to 1.3.x prior to 1.3.7 improperly handle NUL bytes in the domain name of the Common Name (CN) field within X.509 certificates. This flaw permits man-in-the-middle attackers to deceptively represent any SSL server by exploiting a crafted certificate that is issued by a trusted Certification Authority. As a result, users may be susceptible to various security threats, including session hijacking and data interception.

References

http://ubuntu.com/usn/usn-2315-1

vendor-advisoryx_refsource_UBUNTU

http://www.securityfocus.com/bid/69238

vdb-entryx_refsource_BID

http://secunia.com/advisories/60721

third-party-advisoryx_refsource_SECUNIA

Timeline

Vulnerability published
Aug 19, 2014
Vulnerability Reserved
May 14, 2014