CVE-2014-3577

Summary

CVE	CVE-2014-3577
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2014-08-21 14:55:00 UTC
Updated	2023-11-07 02:20:00 UTC
Description	org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Risk And Classification

Problem Types: NVD-CWE-Other

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Httpasyncclient	All	All	All	All
Application	Apache	Httpclient	All	All	All	All

References

Reference	Source	Link	Tags
Full Disclosure: CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack	FULLDISC	seclists.org	Exploit, Mailing List, Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Security Advisory SA60713 - Apache HttpComponents HttpClient / Apache HttpComponents HttpAsyncClient X.509 Certificate Validation Security Issue - Secunia	SECUNIA	secunia.com	Third Party Advisory
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Apache HttpComponents Man-In-The-Middle ≈ Packet Storm	MISC	packetstormsecurity.com	Exploit, Third Party Advisory, VDB Entry
[security-announce] openSUSE-SU-2020:1873-1: important: Security update	SUSE	lists.opensuse.org
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
IBM X-Force Exchange	XF	exchange.xforce.ibmcloud.com	Third Party Advisory, VDB Entry
USN-2769-1: Apache Commons HttpClient vulnerabilities \| Ubuntu	UBUNTU	www.ubuntu.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
CPU July 2018	CONFIRM	www.oracle.com
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
oss-security - Multiple vulnerabilities in Jenkins and Jenkins plugins	MLIST	www.openwall.com
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability	BID	www.securityfocus.com	Third Party Advisory, VDB Entry
Do CVE-2012-6153 and CVE-2014-3577 affect Red Hat products? - Red Hat Customer Portal	CONFIRM	access.redhat.com	Third Party Advisory
110143	OSVDB	www.osvdb.org	Broken Link
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Security Advisory SA60589 - Red Hat update for httpcomponents-client - Secunia	SECUNIA	secunia.com	Third Party Advisory
Red Hat JBoss Certificate Validation Flaw Lets Remote Users Spoof SSL Servers - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
About Secunia Research \| Flexera	SECUNIA	secunia.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html		lists.apache.org
Document Display \| HPE Support Center	CONFIRM	h20566.www2.hpe.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
[security-announce] openSUSE-SU-2020:1875-1: important: Security update	SUSE	lists.opensuse.org
Pony Mail!	MLIST	lists.apache.org
CVE-2014-3577 Apache HttpComponents HttpClient Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	rhn.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

20269 IBM DB2 Multiple Vulnerabilities (6466365)
20330 IBM DB2 Secure Sockets Layer (SSL) Server Spoofing Vulnerability (6953757)
240138 Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:0055)
375670 IBM WebSphere Application Server Multiple Vulnerabilities (6453091)
690202 Free Berkeley Software Distribution (FreeBSD) Security Update for jenkins (9bad457e-b396-4452-8773-15bec67e1ceb)
730235 Jenkins Core Security Update (Jenkins Security Advisory 2021-10-06)
770138 Red Hat OpenShift Container Platform 4.1 Security Update (RHSA-2022:0055)
980486 Java (maven) Security Update for org.apache.httpcomponents:httpclient (GHSA-cfh5-3ghh-wfjx)