Apache-SSL Client Certificate Forging Vulnerability
BID:9590
Info
Apache-SSL Client Certificate Forging Vulnerability
| Bugtraq ID: | 9590 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 06 2004 12:00AM |
| Updated: | Feb 06 2004 12:00AM |
| Credit: | Discovery of this vulnerability has been credited to Wietse Venema. |
| Vulnerable: |
Apache-SSL Apache-SSL 1.47 Apache-SSL Apache-SSL 1.46 Apache-SSL Apache-SSL 1.45 Apache-SSL Apache-SSL 1.44 Apache-SSL Apache-SSL 1.42 Apache-SSL Apache-SSL 1.41 Apache-SSL Apache-SSL 1.40 Apache-SSL Apache-SSL 1.39 Apache-SSL Apache-SSL 1.3.28 +1.52 |
| Not Vulnerable: |
Apache-SSL Apache-SSL 1.3.29 +1.53 |
Discussion
Apache-SSL Client Certificate Forging Vulnerability
Apache-SSL has been reported to be prone to a vulnerability. The issue exists when Apache-SSL is configured in a specific manner. It has been reported that a server possessing the aforementioned configuration may provide a conduit that will allow a remote attacker to forge a valid client certificate.
Apache-SSL has been reported to be prone to a vulnerability. The issue exists when Apache-SSL is configured in a specific manner. It has been reported that a server possessing the aforementioned configuration may provide a conduit that will allow a remote attacker to forge a valid client certificate.
Exploit / POC
Apache-SSL Client Certificate Forging Vulnerability
There is no exploit required.
There is no exploit required.
Solution / Fix
Apache-SSL Client Certificate Forging Vulnerability
Solution:
The vendor has released an upgrade to address this issue.
Apache-SSL Apache-SSL 1.3.28 +1.52
Apache-SSL Apache-SSL 1.39
Apache-SSL Apache-SSL 1.40
Apache-SSL Apache-SSL 1.41
Apache-SSL Apache-SSL 1.42
Apache-SSL Apache-SSL 1.44
Apache-SSL Apache-SSL 1.45
Apache-SSL Apache-SSL 1.46
Apache-SSL Apache-SSL 1.47
Solution:
The vendor has released an upgrade to address this issue.
Apache-SSL Apache-SSL 1.3.28 +1.52
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.39
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.40
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.41
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.42
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.44
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.45
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.46
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
Apache-SSL Apache-SSL 1.47
-
Apache-SSL apache_1.3.29+ssl_1.53
http://www.apache-ssl.org/#Download
References
Apache-SSL Client Certificate Forging Vulnerability
References:
References:
- Apache-SSL Homepage (Apache-SSL)
- [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior (Adam Laurie
)