Hostname Verification Vulnerability in Apache HttpComponents
CVE-2014-3577

Currently unrated

Key Information:

Vendor: Apache
Status: Httpclient
Vendor: CVE Published:; 21 August 2014

Summary

A flaw exists in the hostname verification implementation of the Apache HttpComponents HttpClient and HttpAsyncClient, which fails to properly ensure that the server hostname corresponds to the domain name specified in the X.509 certificate's Common Name (CN) or subjectAltName field. This shortcoming could allow attackers to carry out man-in-the-middle attacks by spoofing SSL servers, potentially leading to unauthorized access to sensitive data exchanged during secure communications. Notably, an attacker could exploit a crafted certificate string in the distinguished name (DN) of the certificate, thereby undermining the intended security protections offered by SSL/TLS.

References

http://rhn.redhat.com/errata/RHSA-2014-1891.html

vendor-advisory

http://rhn.redhat.com/errata/RHSA-2015-0765.html

vendor-advisory

https://access.redhat.com/solutions/1165533

Timeline

Vulnerability published
Aug 21, 2014
Vulnerability Reserved
May 14, 2014