Bug 1134598 - (CVE-2012-5784) VUL-0: CVE-2012-5784, CVE-2014-3596: axis: missing connection hostname check against X.509 certificate name
(CVE-2012-5784)
VUL-0: CVE-2012-5784, CVE-2014-3596: axis: missing connection hostname check ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/76767/
maint:released:sle10-sp3:64291
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-09 13:32 UTC by Alexandros Toptsoglou
Modified: 2019-10-11 22:48 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-05-09 13:32:20 UTC
CVE-2012-5784

Common Vulnerabilities and Exposures assigned an identifier CVE-2012-5784 to the following vulnerability:

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-3596

It was found that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject.


References:
[1] http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
[2] https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
[3] http://www.sigsac.org/ccs/CCS2012/techprogram.shtml

References:
https://bugzilla.redhat.com/show_bug.cgi?id=873252
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784
https://rhn.redhat.com/errata/RHSA-2013-0269.html
http://rhn.redhat.com/errata/RHSA-2013-0683.html
https://rhn.redhat.com/errata/RHSA-2013-0683.html
https://rhn.redhat.com/errata/RHSA-2014-0037.html
http://people.canonical.com/~ubuntu-security/cve/2012/CVE-2012-5784.html
https://rhn.redhat.com/errata/RHSA-2014-1123.html
https://access.redhat.com/security/cve/CVE-2012-5784
http://rhn.redhat.com/errata/RHSA-2014-0037.html
http://rhn.redhat.com/errata/RHSA-2013-0269.html
https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
http://www.securityfocus.com/bid/56408
http://secunia.com/advisories/51219
http://xforce.iss.net/xforce/xfdb/79829
http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3E
http://activemq.apache.org/axis-and-cxf-support.html
https://bugzilla.redhat.com/show_bug.cgi?id=1129935
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3596
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#CVE-2014-3596
http://www.openwall.com/lists/oss-security/2014/08/20/2
http://rhn.redhat.com/errata/RHSA-2014-1193.html
https://rhn.redhat.com/errata/RHSA-2015-1010.html
https://access.redhat.com/errata/RHSA-2015:1010
https://rhn.redhat.com/errata/RHSA-2014-1193.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3596.html
https://access.redhat.com/security/cve/CVE-2014-3596
http://www.cvedetails.com/cve/CVE-2014-3596/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596
https://exchange.xforce.ibmcloud.com/vulnerabilities/95377
http://www.securityfocus.com/bid/69295
http://linux.oracle.com/errata/ELSA-2014-1193.html
http://secunia.com/advisories/61222
https://issues.apache.org/jira/browse/AXIS-2905
Comment 1 Alexandros Toptsoglou 2019-05-09 13:36:07 UTC
All code-streams are affected.  There is a patch at [1] that solves both issues. More info regardind the issue at [2]  

[1] https://issues.apache.org/jira/secure/attachment/12662672/CVE-2014-3596.patch
[2] https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=16832589#comment-16832589
Comment 3 Pedro Monreal Gonzalez 2019-05-09 18:49:06 UTC
Correction:
SLE-11     https://build.suse.de/request/show/192312
Comment 5 Swamp Workflow Management 2019-05-28 19:13:20 UTC
SUSE-SU-2019:1373-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1134598
CVE References: CVE-2012-5784,CVE-2014-3596
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    axis-1.4-5.8.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    axis-1.4-5.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-05-30 10:16:13 UTC
SUSE-SU-2019:1382-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1134598
CVE References: CVE-2012-5784,CVE-2014-3596
Sources used:
SUSE Linux Enterprise Server 12-SP4 (src):    axis-1.4-290.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    axis-1.4-290.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-05-31 12:19:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2019-06-14.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64290
Comment 9 Swamp Workflow Management 2019-06-03 10:19:22 UTC
openSUSE-SU-2019:1497-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1134598
CVE References: CVE-2012-5784,CVE-2014-3596
Sources used:
openSUSE Leap 15.0 (src):    axis-1.4-lp150.9.1
Comment 10 Swamp Workflow Management 2019-06-07 19:12:03 UTC
openSUSE-SU-2019:1526-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1134598
CVE References: CVE-2012-5784,CVE-2014-3596
Sources used:
openSUSE Leap 42.3 (src):    axis-1.4-300.1
Comment 11 Marcus Meissner 2019-09-04 06:10:36 UTC
released
Comment 12 Swamp Workflow Management 2019-10-11 19:25:12 UTC
SUSE-SU-2019:1373-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1134598
CVE References: CVE-2012-5784,CVE-2014-3596
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    axis-1.4-5.8.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    axis-1.4-5.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.