Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability
BID:69257
Info
Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability
| Bugtraq ID: | 69257 |
| Class: | Design Error |
| CVE: |
CVE-2012-6153 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 13 2014 12:00AM |
| Updated: | Nov 24 2016 01:14AM |
| Credit: | Florian Weimer |
| Vulnerable: |
Ubuntu Ubuntu Linux 15.04 Ubuntu Ubuntu Linux 14.04 LTS Ubuntu Ubuntu Linux 12.04 LTS Redhat Software Collections 1 for RHEL 6 0 Redhat JBoss Enterprise Application Platform 6.3 Redhat JBoss Enterprise Application Platform 6 EL6 Redhat JBoss Enterprise Application Platform 6 EL5 Redhat JBoss BRMS 6.0.3 Redhat Jboss Bpm Suite 6.0.3 Redhat Jboss Bpm Suite 6.0.1 Redhat Jboss Bpm Suite 6.0.0 Redhat Developer Toolset 2 IBM ISALite 11.5 IBM ISALite 11.3 IBM Infosphere Metadata Workbench 9.1 IBM Infosphere Metadata Workbench 8.7 IBM InfoSphere Metadata Asset Manager 9.1 IBM InfoSphere Metadata Asset Manager 8.7 IBM InfoSphere Metadata Asset Manager 11.3 IBM InfoSphere Information Server on Cloud 11.5 IBM InfoSphere Information Server Manager 9.1 IBM InfoSphere Information Server Manager 8.7 IBM InfoSphere Information Governance Catalog 11.5 IBM InfoSphere Information Governance Catalog 11.3 IBM InfoSphere FastTrack 11.5 IBM InfoSphere FastTrack 11.3 IBM InfoSphere DataStage 9.1 IBM InfoSphere DataStage 8.7 IBM InfoSphere DataStage 8.5 IBM InfoSphere Data Quality Exception Console 11.5 IBM InfoSphere Data Quality Exception Console 11.3 IBM InfoSphere Business Glossary Client for Eclipse 9.1 IBM InfoSphere Business Glossary Client for Eclipse 8.7 IBM InfoSphere Business Glossary Client for Eclipse 8.5 IBM InfoSphere Business Glossary Client for Eclipse 11.5 IBM InfoSphere Business Glossary Client for Eclipse 11.3 IBM InfoSphere Business Glossary 9.1 IBM InfoSphere Business Glossary 8.7 IBM InfoSphere Blueprint Director 9.1 IBM InfoSphere Blueprint Director 8.7 IBM InfoSphere Blueprint Director 8.5 IBM InfoSphere Blueprint Director 11.3 IBM Flex System Manager 1.3.2 IBM Flex System Manager 1.3.4.0 IBM Flex System Manager 1.3.3.0 IBM Bluemix Liberty for Java 1.6 IBM Bluemix Liberty for Java 1.5 IBM Bluemix Liberty for Java 1.3 IBM Bluemix Liberty for Java 1.12-20150130-1059 HP Network Node Manager i 9.20 HP Network Node Manager i 10.0 Apache HttpComponents HttpClient 4.2.2 Apache HttpComponents HttpClient 4.1.1 Apache HttpComponents HttpClient 4.1 Apache Commons HttpClient 3.0 Apache Commons HttpClient 3.1 |
| Not Vulnerable: |
Redhat JBoss BRMS 6.1 Redhat Jboss Bpm Suite 6.1 IBM Bluemix Liberty for Java 1.13-20150209-1122 |
Discussion
Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability
Apache HttpComponents is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
Note: This issue exists due to an incomplete fix for CVE-2012-5783 (identified in BID 58073- Apache Commons HttpClient CVE-2012-5783 SSL Certificate Validation Security Bypass Vulnerability).
Apache HttpComponents is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.
Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.
Note: This issue exists due to an incomplete fix for CVE-2012-5783 (identified in BID 58073- Apache Commons HttpClient CVE-2012-5783 SSL Certificate Validation Security Bypass Vulnerability).
Exploit / POC
Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability
An attacker can use readily available network utilities to exploit this issue.
An attacker can use readily available network utilities to exploit this issue.
Solution / Fix
Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability
Solution:
Updates are available. Please see the references or vendor advisory for more information.
Solution:
Updates are available. Please see the references or vendor advisory for more information.
References
Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability
References:
References:
- Apache Homepage (Apache)
- Apache HttpComponents Product Page (Apache Software Foundation)
- Bug 1129916 - (CVE-2012-6153) CVE-2012-6153 Apache HttpComponents client: Hostna (Red Hat Bugzilla)
- HPSBMU03584 rev.1 - HPE Network Node Manager I (NNMi), Multiple Remote Vulnerabi (HP)
- Important: thermostat1-httpcomponents-client security update (Red Hat)
- isg3T1024467:IBM Flex System Manager (FSM) is affected by a vulnerability in sql (IBM)
- Red Hat JBoss Enterprise Application Platform 6.3.0 security update (Red Hat)
- Red Hat JBoss Enterprise Application Platform 6.3.0 security update (Red Hat)
- Revision 1411705 (Apache Software Foundation)
- RHSA-2014:1098 Important: devtoolset-2-httpcomponents-client security update (Red Hat)
- Security Advisory Important: Red Hat JBoss BPM Suite 6.1.0 update (Red Hat)
- Security Advisory Important: Red Hat JBoss BRMS 6.1.0 update (Red Hat)
- Security Bulletin: Multiple vulnerabilities fixed in Liberty for Java for IBM Bl (IBM)
- Security Bulletin: Multiple vulnerabilities fixed in Liberty for Java for IBM Bl (IBM)
- swg21982420:Vulnerabilities in Apache HttpComponents affect IBM InfoSphere Infor (IBM)
- USN-2769-1: Apache Commons HttpClient vulnerabilities (Ubuntu)