Does CVE-2014-3596 affect Red Hat products?

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 6.x
  • Red Hat Enterprise Virtualization (RHEV)
    • 3.x
  • Red Hat JBoss Portal (JPP)
    • 5.x
    • 6.x
  • Red Hat Network Satellite
    • 5.x

Issue

In late 2012, a research paper was published, showing that several commonly used libraries that handledSSL connections failed to verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate. Apache Axis 1 was one of these libraries, and the issue in Axis 1 was identified by CVE-2012-5784.

While reviewing the patch in August 2014, engineers from Red Hat Product Security noticed that the fix for CVE-2012-5784 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. This new issue is identified by CVE-2014-3596.

Note that Axis 1 has reached its end-of-life (EOL) upstream, and the incomplete patch for CVE-2012-5784 was never merged upstream. It was, however, shipped by various vendors, including Debian and Red Hat.

Resolution

Red Hat is currently working on patches for all affected products as a high priority.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.