CVE-2014-3596

Currently unrated

Key Information:

Vendor: Apache
Status: Axis
Vendor: CVE Published:; 27 August 2014

Summary

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

References

http://www.openwall.com/lists/oss-security/2014/08/20/2

mailing-listx_refsource_MLIST

https://issues.apache.org/jira/browse/AXIS-2905

x_refsource_MISC

https://exchange.xforce.ibmcloud.com/vulnerabilities/95377

vdb-entryx_refsource_XF

Timeline

Vulnerability published
Aug 27, 2014
Vulnerability Reserved
May 14, 2014