Do CVE-2012-6153 and CVE-2014-3577 affect Red Hat products?

Solution In Progress - Updated -

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 6.x
    • 7.x
  • Red Hat Enterprise Virtualization (RHEV)
    • 3.x
  • Red Hat JBoss Portal (JPP)
    • 5.x
    • 6.x
  • Red Hat JBoss BRMS (BRMS)
    • 6.x
    • 5.x
  • Red Hat JBoss BPM Suite (BPMS)
    • 6.x
  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.x
    • 5.x
  • Red Hat JBoss SOA Platform (SOA-P)
    • 5.x
  • Red Hat JBoss Fuse Service Works (FSW)
    • 6.x
  • Red Hat Network Satellite
    • 5.x
  • Red Hat Developer Toolset
    • 2.1
  • Red Hat Software Collections
    • 1.X
  • Red Hat JBoss Operations Network (JON)
    • 3.x
  • Red Hat JBoss Web Framework Kit (WFK)
    • 2.x
  • OpenShift Enterprise
    • 1.x
    • 2.x

Issue

In late 2012, a research paper was published, showing that several commonly used libraries that handled SSL connections failed to verify that the server hostname matches a domain name in the subject's CN or subjectAltName field of the x.509 certificate. Apache HttpClient was one of these libraries, and the issue in HttpClient was identified by CVE-2012-5783. There are two main version streams of HttpClient currently in use: Apache Commons HttpClient 3.x (also known as Apache Jakarta Commons HttpClient) and Apache HttpComponents HttpClient 4.x.

While reviewing the patch in November 2012, engineers from Red Hat Product Security noticed that the fix for CVE-2012-5783 was incomplete. The code added to check that the server hostname matches the domain name in the subject's CN field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a specially crafted subject. A patch for this issue was committed upstream, and incorporated into HttpClient 4.2.3. At the time, it was unclear that this issue was feasibly exploitable, so no CVE ID was assigned. It has now become apparent that it is exploitable, and this issue has been assigned CVE-2012-6153.

It has now been reported that the patch for CVE-2012-6153 was still incomplete, and that a Man-in-the-middle (MITM) attack where the attacker can spoof a valid certificate using a different specially crafted subject is still possible. This issue has been assigned CVE-2014-3577

Resolution

Some Red Hat products include versions of HttpClient that are patched for CVE-2012-6153, but still vulnerable to CVE-2014-3577. Other Red Hat products include versions of HttpClient that are still vulnerable to the original CVE-2012-6153 issue. Red Hat is currently working on patches for all affected products as a high priority. The patches will ensure both issues are resolved.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments