What is the severity of CVE-2014-3577?

The severity of CVE-2014-3577 is classified as medium due to the potential for man-in-the-middle attacks.

How do I fix CVE-2014-3577?

To fix CVE-2014-3577, you should upgrade to Apache HttpClient version 4.3.5 or higher.

Which versions are affected by CVE-2014-3577?

Versions of Apache HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 are affected by CVE-2014-3577.

What is the impact of CVE-2014-3577?

CVE-2014-3577 allows attackers to perform man-in-the-middle attacks due to improper hostname verification.

Is CVE-2014-3577 exploitable remotely?

Yes, CVE-2014-3577 is exploitable remotely as it involves network communications that can be intercepted.

Vulnerability/
CVE-2014-3577

medium

5.8

CWE

347 297

12/8/2014

18/8/2014

21/8/2014

17/10/2018

6/8/2024

CVE-2014-3577

First published: Tue Aug 12 2014(Updated: )

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/jakarta-commons-httpclient	<1:3.1-4_patch_02.ep5.el5	1:3.1-4_patch_02.ep5.el5
redhat/jboss-seam2	<0:2.2.6.EAP5-22_patch_01.ep5.el5	0:2.2.6.EAP5-22_patch_01.ep5.el5
redhat/apache-cxf	<0:2.2.12-14.patch_09.ep5.el5	0:2.2.12-14.patch_09.ep5.el5
redhat/jakarta-commons-httpclient	<1:3.1-4_patch_02.el6_5	1:3.1-4_patch_02.el6_5
redhat/jboss-seam2	<0:2.2.6.EAP5-22_patch_01.el6	0:2.2.6.EAP5-22_patch_01.el6
redhat/apache-cxf	<0:2.2.12-14.patch_09.el6	0:2.2.12-14.patch_09.el6
redhat/jakarta-commons-httpclient	<1:3.0-7jpp.4.el5_10	1:3.0-7jpp.4.el5_10
redhat/jakarta-commons-httpclient	<1:3.1-0.9.el6_5	1:3.1-0.9.el6_5
redhat/httpcomponents-client	<0:4.2.5-5.el7_0	0:4.2.5-5.el7_0
redhat/jakarta-commons-httpclient	<1:3.1-16.el7_0	1:3.1-16.el7_0
redhat/jakarta-commons-httpclient	<1:3.1-4_patch_02.ep5.el4	1:3.1-4_patch_02.ep5.el4
redhat/jboss-seam2	<0:2.2.6.EAP5-22_patch_01.ep5.el4	0:2.2.6.EAP5-22_patch_01.ep5.el4
redhat/apache-cxf	<0:2.2.12-14.patch_09.ep5.el4	0:2.2.12-14.patch_09.ep5.el4
redhat/httpcomponents-eap6	<0:6-12.redhat_2.1.ep6.el5	0:6-12.redhat_2.1.ep6.el5
redhat/apache-cxf	<0:2.7.12-1.SP1_redhat_5.1.ep6.el5	0:2.7.12-1.SP1_redhat_5.1.ep6.el5
redhat/wss4j	<0:1.6.16-2.redhat_3.1.ep6.el5	0:1.6.16-2.redhat_3.1.ep6.el5
redhat/httpcomponents-eap6	<0:6-12.redhat_2.1.ep6.el6	0:6-12.redhat_2.1.ep6.el6
redhat/apache-cxf	<0:2.7.12-1.SP1_redhat_5.1.ep6.el6	0:2.7.12-1.SP1_redhat_5.1.ep6.el6
redhat/wss4j	<0:1.6.16-2.redhat_3.1.ep6.el6	0:1.6.16-2.redhat_3.1.ep6.el6
redhat/httpcomponents-eap6	<0:6-12.redhat_2.1.ep6.el7	0:6-12.redhat_2.1.ep6.el7
redhat/apache-cxf	<0:2.7.12-1.SP1_redhat_5.1.ep6.el7	0:2.7.12-1.SP1_redhat_5.1.ep6.el7
redhat/wss4j	<0:1.6.16-2.redhat_3.1.ep6.el7	0:1.6.16-2.redhat_3.1.ep6.el7
redhat/jenkins	<0:2.319.2.1643288987-1.el8	0:2.319.2.1643288987-1.el8
redhat/activemq	<0:5.9.0-6.redhat.611463.el6	0:5.9.0-6.redhat.611463.el6
redhat/jenkins	<0:1.651.2-1.el6	0:1.651.2-1.el6
redhat/libcgroup	<0:0.40.rc1-18.el6_8	0:0.40.rc1-18.el6_8
redhat/openshift-origin-broker	<0:1.16.3.2-1.el6	0:1.16.3.2-1.el6
redhat/openshift-origin-broker-util	<0:1.37.6.2-1.el6	0:1.37.6.2-1.el6
redhat/openshift-origin-cartridge-cron	<0:1.25.4.2-1.el6	0:1.25.4.2-1.el6
redhat/openshift-origin-cartridge-diy	<0:1.26.2.2-1.el6	0:1.26.2.2-1.el6
redhat/openshift-origin-cartridge-haproxy	<0:1.31.6.2-1.el6	0:1.31.6.2-1.el6
redhat/openshift-origin-cartridge-jbosseap	<0:2.27.4.2-1.el6	0:2.27.4.2-1.el6
redhat/openshift-origin-cartridge-jbossews	<0:1.35.5.2-1.el6	0:1.35.5.2-1.el6
redhat/openshift-origin-cartridge-jenkins	<0:1.29.2.2-1.el6	0:1.29.2.2-1.el6
redhat/openshift-origin-cartridge-jenkins-client	<0:1.26.1.1-1.el6	0:1.26.1.1-1.el6
redhat/openshift-origin-cartridge-mongodb	<0:1.26.2.2-1.el6	0:1.26.2.2-1.el6
redhat/openshift-origin-cartridge-mysql	<0:1.31.3.3-1.el6	0:1.31.3.3-1.el6
redhat/openshift-origin-cartridge-nodejs	<0:1.33.1.2-1.el6	0:1.33.1.2-1.el6
redhat/openshift-origin-cartridge-perl	<0:1.30.2.2-1.el6	0:1.30.2.2-1.el6
redhat/openshift-origin-cartridge-php	<0:1.35.4.2-1.el6	0:1.35.4.2-1.el6
redhat/openshift-origin-cartridge-python	<0:1.34.3.2-1.el6	0:1.34.3.2-1.el6
redhat/openshift-origin-cartridge-ruby	<0:1.32.2.2-1.el6	0:1.32.2.2-1.el6
redhat/openshift-origin-msg-node-mcollective	<0:1.30.2.2-1.el6	0:1.30.2.2-1.el6
redhat/openshift-origin-node-proxy	<0:1.26.3.1-1.el6	0:1.26.3.1-1.el6
redhat/openshift-origin-node-util	<0:1.38.7.1-1.el6	0:1.38.7.1-1.el6
redhat/rhc	<0:1.38.7.1-1.el6	0:1.38.7.1-1.el6
redhat/rubygem-openshift-origin-admin-console	<0:1.28.2.1-1.el6	0:1.28.2.1-1.el6
redhat/rubygem-openshift-origin-controller	<0:1.38.6.4-1.el6	0:1.38.6.4-1.el6
redhat/rubygem-openshift-origin-frontend-haproxy-sni-proxy	<0:0.5.2.1-1.el6	0:0.5.2.1-1.el6
redhat/rubygem-openshift-origin-msg-broker-mcollective	<0:1.36.2.4-1.el6	0:1.36.2.4-1.el6
redhat/rubygem-openshift-origin-node	<0:1.38.6.4-1.el6	0:1.38.6.4-1.el6
redhat/rubygem-openshift-origin-routing-daemon	<0:0.26.6.1-1.el6	0:0.26.6.1-1.el6
redhat/thermostat1-httpcomponents-client	<0:4.2.5-3.4.el6.1	0:4.2.5-3.4.el6.1
redhat/httpcomponents-client	<4.3.5	4.3.5
maven/org.apache.httpcomponents:httpclient	<4.3.5	4.3.5
Apache Commons HttpClient	>=4.0<=4.3.4
Apache HttpAsyncClient	>=4.0<=4.0.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2014-3577?
The severity of CVE-2014-3577 is classified as medium due to the potential for man-in-the-middle attacks.
How do I fix CVE-2014-3577?
To fix CVE-2014-3577, you should upgrade to Apache HttpClient version 4.3.5 or higher.
Which versions are affected by CVE-2014-3577?
Versions of Apache HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 are affected by CVE-2014-3577.
What is the impact of CVE-2014-3577?
CVE-2014-3577 allows attackers to perform man-in-the-middle attacks due to improper hostname verification.
Is CVE-2014-3577 exploitable remotely?
Yes, CVE-2014-3577 is exploitable remotely as it involves network communications that can be intercepted.

collector/redhat-cve
agent/type
agent/softwarecombine
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2014-3577
agent/software-canonical-lookup
agent/severity
agent/author
agent/weakness
agent/description
collector/github-advisory-latest
source/GitHub
alias/GHSA-cfh5-3ghh-wfjx
agent/references
collector/github-advisory
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-api
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
collector/nvd-index
package-manager/redhat
package-manager/maven
vendor/apache
canonical/apache commons httpclient
version/apache commons httpclient/4.0
version/apache commons httpclient/4.3.4
canonical/apache httpasyncclient
version/apache httpasyncclient/4.0
version/apache httpasyncclient/4.0.1

CVE-2014-3577

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Frequently Asked Questions

What is the severity of CVE-2014-3577?

How do I fix CVE-2014-3577?

Which versions are affected by CVE-2014-3577?

What is the impact of CVE-2014-3577?

Is CVE-2014-3577 exploitable remotely?

Company

Resources

Contact