Serf CVE-2014-3504 SSL Certificate Validation Information Disclosure Vulnerability

Bugtraq ID:	69238
Class:	Design Error
CVE:	CVE-2014-3504
Remote:	Yes
Local:	No
Published:	Aug 14 2014 12:00AM
Updated:	Oct 26 2016 01:16AM
Credit:	Ben Reser
Vulnerable:	Ubuntu Ubuntu Linux 14.04 LTS Ubuntu Ubuntu Linux 12.04 LTS i386 Ubuntu Ubuntu Linux 12.04 LTS amd64 Ubuntu Ubuntu Linux 12.04 LTS Serf Project Serf 1.3.6 Serf Project Serf 0.2 Mandriva Business Server 1 X86 64 Mandriva Business Server 1 Gentoo Linux
Not Vulnerable:	Serf Project Serf 1.3.7

Serf CVE-2014-3504 SSL Certificate Validation Information Disclosure Vulnerability

Serf is prone to an information disclosure vulnerability.

An attacker can exploit this issue through man-in-the-middle attacks by impersonating a trusted server. This may allow the attacker to obtain or modify sensitive information. Information harvested may aid in further attacks.

Serf CVE-2014-3504 SSL Certificate Validation Information Disclosure Vulnerability

An attacker can use readily available network utilities to exploit this issue.

Serf CVE-2014-3504 SSL Certificate Validation Information Disclosure Vulnerability

Solution:
Updates are available. Please see the references for more information.


Mandriva Business Server 1 X86 64

• Mandriva lib64serf-devel-1.1.1-1.mbs1.x86_64.rpm
  http://www.mandriva.com/en/downloads/


• Mandriva lib64serf0-1.1.1-1.mbs1.x86_64.rpm
  http://www.mandriva.com/en/downloads/

Serf CVE-2014-3504 SSL Certificate Validation Information Disclosure Vulnerability

References:

• libserf: failure to properly handle a NUL character in the CommonName or Subject (Red Hat)
  
• Serf Security Advisory for CVE-2014-3504: SSL Certificate Null Byte Poisoning (Serf)
  
• USN-2315-1: serf vulnerability (Ubuntu)