Skip to main content

CVE-2014-3603

Severity

5.9

Description

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Mitigation

>>>IdP users: Upgrade to IdP 2.4.1 or greater, which globally configures an appropriate hostname verifier for use with HttpClient. If this is not feasible, and the only use of these resource types is with a ResourceBackedMetadataProvider, then consider replacing the latter with either a HTTPMetadataProvider or FileBackedHTTPMetadataProvider.

>>>OpenSAML users: Upgrade to OpenSAML Java 2.6.2 or greater, which globally configures an appropriate hostname verifier for use with HttpClient. If this is not feasible, it is also possible to replicate in your own code the registration of the appropriate hostname-verifying socket factory added in 2.6.2. See the HttpClient 3.x web site, or contact the Shibboleth developer list for details.

>>>Note that in IdP v2.4.0 and above, use of the HTTP metadata provider configuration option 'disregardSslCertificate' will globally disable HttpClient hostname verification as well as TLS certificate trust evaluation. This would include the HttpResource hostname verification being added in the 2.4.1 release. This is a limitation caused by API issues with HttpClient 3.x, and will be addressed in the 3.x version of the Identity Provider. See the following related security advisory: http://shibboleth.net/community/advisories/secadv_20130417.txt

Reference: [https://shibboleth.net/community/advisories/secadv_20140813.txt](https://shibboleth.net/community/advisories/secadv_20140813.txt)

Project

Apache TomEE

Category
Other
Tags
data
functional
Date Disclosed

2019-04-04

Date Discovered

2014-05-14

Apache TomEE 1.7.x

First release:
2014-08-09
CVEs:
87
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
101
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
111
Support Lifecycle:
Namespace:
javax

Apache TomEE 1.0.x

First release:
2012-04-27
CVEs:
121
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.