CVE-2014-3577

Impact:
Important
Public Date:
2014-08-18
CWE:
CWE-297
Bugzilla:
1129074: CVE-2014-3577 Apache HttpComponents client / Apache CXF: SSL hostname verification bypass, incomplete CVE-2012-6153 fix
It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate.

Find out more about CVE-2014-3577 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1165533

This issue affects the versions of HttpComponents Client as shipped with Red Hat JBoss Data Grid 6 and Red Hat JBoss Data Virtualization 6; and ModeShape Client as shipped with Red Hat JBoss Data Virtualization 6. However, this flaw is not known to be exploitable under any supported scenario in Red Hat JBoss Data Grid 6 and JBoss Data Virtualization 6. A future update may address this issue.

Red Hat JBoss Enterprise Application Platform 4, Red Hat JBoss SOA Platform 4, and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/

Fuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/

CVSS v2 metrics

Base Score 5.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact None

CVSS v3 metrics

CVSS3 Base Score 4.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Platform 5 for RHEL 5 Server (apache-cxf) RHSA-2014:1833 2014-11-10
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:1163 2014-09-04
Red Hat JBoss A-MQ 6.2 RHSA-2016:1931 2016-09-23
Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 (thermostat1-httpcomponents-client) RHSA-2014:1082 2014-08-20
Red Hat JBoss SOA Platform 5.3 RHSA-2015:1888 2015-10-12
Red Hat JBoss BPMS 6.0 RHSA-2015:0851 2015-04-16
Red Hat JBoss Fuse Service Works 6.0 RHSA-2015:0720 2015-03-24
Red Hat Enterprise Linux 7 (jakarta-commons-httpclient) RHSA-2014:1166 2014-09-08
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2014:1323 2014-09-29
Red Hat JBoss Web Platform 5.2 RHSA-2014:1322 2014-09-29
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server RHSA-2014:2019 2014-12-18
Red Hat JBoss BPMS 6.0 RHSA-2015:0234 2015-02-17
Red Hat JBoss BPMS 6.0 RHSA-2014:1892 2014-11-24
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (apache-cxf) RHSA-2014:1834 2014-11-10
Red Hat Enterprise Linux 5 (jakarta-commons-httpclient) RHSA-2014:1166 2014-09-08
Red Hat JBoss Data Virtualization 6.0 RHSA-2015:0765 2015-03-31
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (httpcomponents-eap6) RHSA-2014:1162 2014-09-04
Red Hat JBoss Operations Network 3.3 RHSA-2014:1904 2014-11-25
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2014:2019 2014-12-18
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jakarta-commons-httpclient) RHSA-2014:1321 2014-09-29
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2014:2019 2014-12-18
Red Hat JBoss Enterprise Application Platform 6.3 RHSA-2014:2020 2014-12-18
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2014:1836 2014-11-10
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jakarta-commons-httpclient) RHSA-2014:1321 2014-09-29
Red Hat JBoss Web Platform 5 for RHEL 6 Server (jakarta-commons-httpclient) RHSA-2014:1320 2014-09-29
Red Hat JBoss BRMS 6.0 RHSA-2014:1891 2014-11-24
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (httpcomponents-eap6) RHSA-2014:1162 2014-09-04
Red Hat JBoss Fuse 6.2 RHSA-2015:1176 2015-06-23
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (apache-cxf) RHSA-2014:1834 2014-11-10
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jakarta-commons-httpclient) RHSA-2014:1321 2014-09-29
Red Hat Enterprise Linux 6 (jakarta-commons-httpclient) RHSA-2014:1166 2014-09-08
RHOSE Client 2.0 RHSA-2016:1773 2016-08-24
Red Hat JBoss Web Platform 5 for RHEL 5 Server (jakarta-commons-httpclient) RHSA-2014:1320 2014-09-29
Red Hat JBoss Data Virtualization 6.1 RHSA-2015:0675 2015-03-11
RHEV Manager 3 (org.ovirt.engine-root) RHSA-2015:0158 2015-02-11
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (httpcomponents-eap6) RHSA-2014:1162 2014-09-04
Red Hat JBoss BRMS 6.0 RHSA-2015:0235 2015-02-17
Red Hat JBoss Web Platform 5 for RHEL 6 Server (apache-cxf) RHSA-2014:1833 2014-11-10
Red Hat JBoss Portal 6.2 RHSA-2015:1009 2015-05-14
Red Hat JBoss Fuse 6.2 RHSA-2016:1931 2016-09-23
Red Hat JBoss A-MQ 6.2 RHSA-2015:1177 2015-06-23
Red Hat Enterprise Linux 7 (httpcomponents-client) RHSA-2014:1146 2014-09-03
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (apache-cxf) RHSA-2014:1834 2014-11-10
Red Hat JBoss Web Platform 5 for RHEL 4 AS (apache-cxf) RHSA-2014:1833 2014-11-10
Red Hat JBoss Web Platform 5 for RHEL 4 AS (jakarta-commons-httpclient) RHSA-2014:1320 2014-09-29
Red Hat JBoss Web Platform 5.2 RHSA-2014:1835 2014-11-10
Red Hat JBoss BRMS 6.0 RHSA-2015:0850 2015-04-16

Affected Packages State

Platform Package State
Red Hat Virtualization 4 ovirt-engine-sdk-java Affected
Red Hat Software Collections 1 for Red Hat Enterprise Linux maven30-jakarta-commons-httpclient Affected
Red Hat Software Collections 1 for Red Hat Enterprise Linux maven30-httpcomponents-client Affected
Red Hat Satellite 6 httpcomponents-client Affected
Red Hat Satellite 5 jakarta-commons-httpclient Will not fix
Red Hat OpenShift Enterprise 1 wagon-http Not affected
Red Hat OpenShift Enterprise 1 jakarta-commons-httpclient Will not fix
Red Hat JBoss Portal 5 httpclient Affected
Red Hat JBoss Portal 5 jakarta-commons-httpclient Affected
Red Hat JBoss Enterprise SOA Platform 4.3 jakarta-commons-httpclient Will not fix
Red Hat JBoss EWS 1 jakarta-commons-httpclient Will not fix
Red Hat JBoss EAP 4 jakarta-commons-httpclient Will not fix
Red Hat JBoss Data Grid 6 httpclient Affected
Red Hat JBoss Data Grid 6 cxf Affected
Red Hat JBoss BRMS 5 jakarta-commons-httpclient Will not fix
Red Hat JBoss BRMS 5 httpclient Will not fix
Red Hat JBoss BRMS 5 cxf Affected
Red Hat JBoss BRMS 5 modeshape-client Will not fix
Red Hat Gluster Storage 3.0 rhevm-dependencies Will not fix
Red Hat Gluster Storage 2.1 rhevm-dependencies Will not fix
RHEV Manager 3.5 rhevm-dependencies Affected
RHEV Manager 3.4 rhevm-dependencies Will not fix
RHEV Manager 3 jasperreports-server-pro Affected
RHEV Manager 3 redhat-support-plugin-rhev Affected
Last Modified