Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability

BID:69258

Info

Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability

Bugtraq ID: 69258
Class: Design Error
CVE: CVE-2014-3577
Remote: Yes
Local: No
Published: Aug 12 2014 12:00AM
Updated: Jan 12 2017 12:14AM
Credit: Subodh Iyengar, and Will Shackleton
Vulnerable: Ubuntu Ubuntu Linux 15.04
Ubuntu Ubuntu Linux 14.04 LTS
Ubuntu Ubuntu Linux 12.04 LTS
Redhat Software Collections 1 for RHEL 6 0
Redhat JBoss Fuse 6.1.0
Redhat JBoss Enterprise Application Platform 6.3
Redhat JBoss Enterprise Application Platform 6 EL6
Redhat JBoss Enterprise Application Platform 6 EL5
Redhat JBoss BRMS 6.0.3
Redhat Jboss Bpm Suite 6.0.3
Redhat Jboss Bpm Suite 6.0.1
Redhat Jboss Bpm Suite 6.0.0
Redhat JBoss A-MQ 6.1.0
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server EUS 6.5.z
Redhat Enterprise Linux Server AUS 6.5
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node 7
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux Desktop Workstation 5 client
Redhat Enterprise Linux Desktop 7
Redhat Enterprise Linux Desktop 6
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux 5 Server
Oracle Enterprise Linux 7
Mandriva Business Server 1 X86 64
Mandriva Business Server 1
IBM ISALite for IBM InfoSphere Information Server 11.5
IBM ISALite for IBM InfoSphere Information Server 11.3
IBM Infosphere Metadata Workbench 9.1
IBM Infosphere Metadata Workbench 8.7
IBM InfoSphere Metadata Asset Manager 9.1
IBM InfoSphere Metadata Asset Manager 8.7
IBM InfoSphere Information Server on Cloud 11.5
IBM InfoSphere Information Server Manager 9.1
IBM InfoSphere Information Server Manager 8.7
IBM InfoSphere Information Governance Catalog 11.5
IBM InfoSphere Information Governance Catalog 11.3
IBM InfoSphere FastTrack 11.5
IBM InfoSphere FastTrack 11.3
IBM InfoSphere DataStage XML Connector stage 9.1
IBM InfoSphere DataStage XML Connector stage 8.7
IBM InfoSphere DataStage XML Connector stage 8.5
IBM InfoSphere DataStage Hierarchical Data stage 11.5
IBM InfoSphere DataStage Hierarchical Data stage 11.3
IBM InfoSphere DataStage Connectors 9.1
IBM InfoSphere DataStage Connectors 8.7
IBM InfoSphere DataStage Connectors 8.5
IBM InfoSphere DataStage Connectors 11.5
IBM InfoSphere DataStage Connectors 11.3
IBM InfoSphere Data Quality Exception Console 11.5
IBM InfoSphere Data Quality Exception Console 11.3
IBM InfoSphere Business Glossary Client for Eclipse 9.1
IBM InfoSphere Business Glossary Client for Eclipse 8.7
IBM InfoSphere Business Glossary Client for Eclipse 8.5
IBM InfoSphere Business Glossary Client for Eclipse 11.5
IBM InfoSphere Business Glossary Client for Eclipse 11.3
IBM InfoSphere Business Glossary 9.1
IBM InfoSphere Business Glossary 8.7
IBM InfoSphere Blueprint Director 9.1
IBM InfoSphere Blueprint Director 8.7
IBM InfoSphere Blueprint Director 8.5
IBM InfoSphere Blueprint Director 11.3
IBM Bluemix Liberty for Java 1.6
IBM Bluemix Liberty for Java 1.5
IBM Bluemix Liberty for Java 1.3
IBM Bluemix Liberty for Java 1.12-20150130-1059
HP Network Node Manager i 9.20
HP Network Node Manager i 10.0
HP Helion Eucalyptus 4.3
CentOS CentOS 5
Avaya one-X Client Enablement Services 6.1 SP2
Avaya one-X Client Enablement Services 6.1 SP1
Avaya one-X Client Enablement Services 6.1
Apache HttpComponents HttpClient 4.2.2
Apache HttpComponents HttpClient 4.1.1
Apache HttpComponents HttpClient 4.3
Apache HttpComponents HttpClient 4.1
Apache HttpComponents HttpAsyncClient 4.0
Not Vulnerable: Redhat JBoss Fuse 6.2
Redhat JBoss BRMS 6.1
Redhat Jboss Bpm Suite 6.1
Redhat JBoss A-MQ 6.2
IBM Bluemix Liberty for Java 1.13-20150209-1122
HP Helion Eucalyptus 4.3.1
Avaya one-X Client Enablement Services 6.1 SP3
Apache HttpComponents HttpClient 4.3.5
Apache HttpComponents HttpAsyncClient 4.0.2

Discussion

Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability

Apache HttpComponents is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.

Note: This issue exists due to an incomplete fix for CVE-2012-6153 (identified in BID 69257- Apache HttpComponents Incomplete Fix SSL Certificate Validation Security Bypass Vulnerability).

Exploit / POC

Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability

An attacker can use readily available network utilities to exploit this issue.

Solution / Fix

Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

References

Apache HttpComponents Incomplete Fix CVE-2014-3577 SSL Validation Security Bypass Vulnerability

References:
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report