Insecure Certificate Validation in Apache Axis 1.4 and Earlier
CVE-2014-3596

Currently unrated

Key Information:

Vendor: Apache
Status: Axis
Vendor: CVE Published:; 27 August 2014

Summary

The getCN function in Apache Axis 1.4 and earlier versions fails to validate that the server hostname corresponds with the domain specified in the X.509 certificate's Common Name (CN) or subjectAltName fields. This vulnerability introduces a risk where man-in-the-middle attackers can exploit this oversight to spoof SSL servers, allowing them to serve malicious content while appearing legitimate. The issue persists due to an incomplete resolution of a related vulnerability previously identified.

References

http://www.openwall.com/lists/oss-security/2014/08/20/2

mailing-listx_refsource_MLIST

https://issues.apache.org/jira/browse/AXIS-2905

x_refsource_MISC

https://exchange.xforce.ibmcloud.com/vulnerabilities/95377

vdb-entryx_refsource_XF

Timeline

Vulnerability published
Aug 27, 2014
Vulnerability Reserved
May 14, 2014