CVE-2012-6153

Impact:
Important
Public Date:
2014-08-14
CWE:
CWE-297
Bugzilla:
1129916: CVE-2012-6153 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix
It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.

Find out more about CVE-2012-6153 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1165533

This issue affects the versions of HttpComponents Client and ModeShape Client as shipped with Red Hat JBoss Data Virtualization 6. However, this flaw is not known to be exploitable under any supported scenario in Red Hat JBoss Data Virtualization 6. A future update may address this issue.

This issue did not affect the jakarta-commons-httpclient packages as shipped with Red Hat Enterprise Linux 5, 6, and 7, and httpcomponents-client packages as shipped with Red Hat Enterprise Linux 7.

Red Hat JBoss Enterprise Application Platform 4, Red Hat JBoss SOA Platform 4, and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

CVSS v2 metrics

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Platform 5 for RHEL 5 Server (apache-cxf) RHSA-2014:1833 2014-11-10
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:1163 2014-09-04
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2014:2019 2014-12-18
Red Hat JBoss SOA Platform 5.3 RHSA-2015:1888 2015-10-12
Red Hat JBoss BPMS 6.0 RHSA-2015:0851 2015-04-16
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:0720 2015-03-24
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2014:1323 2014-09-29
Red Hat JBoss Web Platform 5.2 RHSA-2014:1322 2014-09-29
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2014:2019 2014-12-18
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss BPMS 6.0 RHSA-2014:1892 2014-11-24
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (apache-cxf) RHSA-2014:1834 2014-11-10
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:0765 2015-03-31
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (httpcomponents-eap6) RHSA-2014:1162 2014-09-04
Red Hat JBoss Operations Network 3.3 RHSA-2014:1904 2014-11-25
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-httpclient) RHSA-2014:1321 2014-09-29
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2014:2019 2014-12-18
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:2020 2014-12-18
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2014:1836 2014-11-10
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-httpclient) RHSA-2014:1321 2014-09-29
Red Hat JBoss Web Platform 5 for RHEL 6 Server (jakarta-commons-httpclient) RHSA-2014:1320 2014-09-29
Red Hat JBoss BRMS 6.0 RHSA-2014:1891 2014-11-24
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpcomponents-eap6) RHSA-2014:1162 2014-09-04
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (apache-cxf) RHSA-2014:1834 2014-11-10
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-httpclient) RHSA-2014:1321 2014-09-29
Red Hat JBoss Web Platform 5 for RHEL 5 Server (jakarta-commons-httpclient) RHSA-2014:1320 2014-09-29
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
RHEV Manager 3 (org.ovirt.engine-root) RHSA-2015:0158 2015-02-11
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (httpcomponents-eap6) RHSA-2014:1162 2014-09-04
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17
Red Hat JBoss Web Platform 5 for RHEL 6 Server (apache-cxf) RHSA-2014:1833 2014-11-10
Red Hat Developer Toolset 2 for Red Hat Enterprise Linux 6 Server (devtoolset-2-httpcomponents-client) RHSA-2014:1098 2014-08-26
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (apache-cxf) RHSA-2014:1834 2014-11-10
Red Hat JBoss Web Platform 5 for RHEL 4 AS (apache-cxf) RHSA-2014:1833 2014-11-10
Red Hat JBoss Web Platform 5 for RHEL 4 AS (jakarta-commons-httpclient) RHSA-2014:1320 2014-09-29
Red Hat JBoss Web Platform 5.2 RHSA-2014:1835 2014-11-10
Red Hat JBoss BRMS 6.0 RHSA-2015:0850 2015-04-16

Affected Packages State

Platform Package State
Red Hat Software Collections 1 for Red Hat Enterprise Linux maven30-jakarta-commons-httpclient Not affected
Red Hat Software Collections 1 for Red Hat Enterprise Linux maven30-httpcomponents-client Not affected
Red Hat Software Collections 1 for Red Hat Enterprise Linux thermostat1-httpcomponents-client Not affected
Red Hat Satellite 6 httpcomponents-client Affected
Red Hat Satellite 5 jakarta-commons-httpclient Affected
Red Hat OpenShift Enterprise 2 wagon-http Not affected
Red Hat OpenShift Enterprise 2 jakarta-commons-httpclient Affected
Red Hat OpenShift Enterprise 2 httpclient Not affected
Red Hat OpenShift Enterprise 1 wagon-http Not affected
Red Hat OpenShift Enterprise 1 jakarta-commons-httpclient Will not fix
Red Hat JBoss Portal 5 httpclient Affected
Red Hat JBoss Portal 5 jakarta-commons-httpclient Affected
Red Hat JBoss Enterprise SOA Platform 4.3 jakarta-commons-httpclient Will not fix
Red Hat JBoss EWS 1 jakarta-commons-httpclient Will not fix
Red Hat JBoss EAP 4 jakarta-commons-httpclient Will not fix
Red Hat JBoss Data Grid 6 httpclient Affected
Red Hat JBoss Data Grid 6 cxf Affected
Red Hat JBoss BRMS 5 jakarta-commons-httpclient Will not fix
Red Hat JBoss BRMS 5 httpclient Will not fix
Red Hat JBoss BRMS 5 cxf Affected
Red Hat JBoss BRMS 5 modeshape-client Will not fix
Red Hat Gluster Storage 3.0 rhevm-dependencies Will not fix
Red Hat Gluster Storage 2.1 rhevm-dependencies Will not fix
Red Hat Enterprise Linux 7 jakarta-commons-httpclient Not affected
Red Hat Enterprise Linux 7 httpcomponents-client Not affected
Red Hat Enterprise Linux 6 jakarta-commons-httpclient Not affected
Red Hat Enterprise Linux 5 jakarta-commons-httpclient Not affected
RHEV Manager 3 jasperreports-server-pro Affected
RHEV Manager 3 rhevm-dependencies Affected
RHEV Manager 3 redhat-support-plugin-rhev Affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

Acknowledgements

This issue was discovered by Florian Weimer of Red Hat Product Security.
Last Modified