Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability

Bugtraq ID:	69295
Class:	Design Error
CVE:	CVE-2014-3596
Remote:	Yes
Local:	No
Published:	Aug 20 2014 12:00AM
Updated:	May 02 2017 01:10AM
Credit:	David Jorm, and Arun Neelicattu of Red Hat Product Security.
Vulnerable:	Redhat Enterprise Linux Workstation 6 Redhat Enterprise Linux Server EUS 6.5.z Redhat Enterprise Linux Server AUS 6.5 Redhat Enterprise Linux Server 6 Redhat Enterprise Linux HPC Node 6 Redhat Enterprise Linux Desktop Workstation 5 client Redhat Enterprise Linux Desktop 6 Redhat Enterprise Linux Desktop 5 client Redhat Enterprise Linux 5 Server Oracle PeopleSoft Enterprise PeopleTools 8.55 Oracle PeopleSoft Enterprise PeopleTools 8.54 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 IBM FileNet Content Manager 5.2.1 IBM FileNet Content Manager 5.2.0 IBM FileNet Business Process Management 5.0.0 IBM Content Foundation 5.2.1 IBM Content Foundation 5.2.0 CentOS CentOS 6 Apache Axis 1.4
Not Vulnerable:

Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability

Apache Axis is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.

Note: This issue exists due to an incomplete fix for CVE-2012-5784 (identified in BID 56408 - Apache Axis and Axis2/Java SSL Certificate Validation Security Bypass Vulnerability).

Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability

An attacker can use readily available network utilities to exploit this issue.

Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Apache Axis Incomplete Fix CVE-2014-3596 SSL Certificate Validation Security Bypass Vulnerability

References:

• Apache Homepage (Apache)
  
• Bug 1129935 - (CVE-2014-3596) CVE-2014-3596 axis: Hostname verification suscepti (Apache Software Foundation)
  
• CVE-2014-3596 Patch (Apache Software Foundation)
  
• Insecure certificate validation CVE-2014-3596 (Apache Software Foundation)
  
• Important: axis security update (Red Hat)
  
• Oracle Critical Patch Update Advisory - April 2017 (Oracle)
  
• swg21965451 - Two vulnerabilities exist in IBM Case Foundation and FileNet Busin (IBM)