Uploaded image for project: 'Spring Framework'
  1. Spring Framework
  2. SPR-12100

Update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Closed
    • Priority: Major
    • Resolution: Complete
    • Affects Version/s: 3.2.11, 4.0.6
    • Fix Version/s: 4.0.7, 4.1 GA
    • Component/s: Web
    • Labels:

      Description

      Security Advisory - Apache Software Foundation
      Apache HttpComponents / hc.apache.org

      Hostname verification susceptible to MITM attack

      CVE-2014-3577 / CVSS 1.4

      Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible
      to a 'Man in the Middle Attack' due to a flaw in the default hostname
      verification during SSL/TLS when a specially crafted server side
      certificate is used.

      Background

      • ----------

      During an SSL connection (https) the client verifies the hostname in
      the URL against the hostname as encoded in the servers certificate (CN,
      subjectAlt fields). This is to ensure that the client connects to the
      'real' server, as opposed to something in middle (man in the middle)
      that may compromise end to end confidentiality and integrity.

        Attachments

          Activity

            People

            Assignee:
            juergen.hoeller Juergen Hoeller
            Reporter:
            riversidecoder JimK
            Last updater:
            Spring Issues Spring Issues
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              3 years, 31 weeks ago