REDHAT-BUG-873317
First published: Mon Nov 05 2012(Updated: )
Common Vulnerabilities and Exposures assigned an identifier <a href="https://access.redhat.com/security/cve/CVE-2012-5783">CVE-2012-5783</a> to the following vulnerability: Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via andaarbitrary valid certificate. References: [1] <a href="http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf">http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf</a> [2] <a href="https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html">https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html</a> [3] <a href="http://www.sigsac.org/ccs/CCS2012/techprogram.shtml">http://www.sigsac.org/ccs/CCS2012/techprogram.shtml</a>
| Affected Software | Affected Version | How to fix |
|---|---|---|
| HttpClient | >=3.0 | |
| Amazon Flexible Payments Service |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2012-5783
- http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
- https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html
- http://www.sigsac.org/ccs/CCS2012/techprogram.shtml
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=873319
- https://issues.apache.org/jira/browse/httpclient-613
- http://svn.apache.org/viewvc?view=revision&revision=483925
- https://issues.apache.org/jira/browse/HTTPCLIENT-1265
- https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573
- https://rhn.redhat.com/errata/RHSA-2013-0270.html
- https://rhn.redhat.com/errata/RHSA-2013-0679.html
- https://rhn.redhat.com/errata/RHSA-2013-0682.html
- https://rhn.redhat.com/errata/RHSA-2013-0681.html
- https://rhn.redhat.com/errata/RHSA-2013-0680.html
- https://rhn.redhat.com/errata/RHSA-2013-0763.html
- https://rhn.redhat.com/errata/RHSA-2013-1006.html
- https://rhn.redhat.com/errata/RHSA-2013-1147.html
- https://rhn.redhat.com/errata/RHSA-2013-1853.html
- https://rhn.redhat.com/errata/RHSA-2014-0224.html
- https://access.redhat.com/security/cve/CVE-2012-6153
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1129916
- https://access.redhat.com/security/cve/CVE-2014-3577
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1129074
- https://access.redhat.com/errata/RHSA-2017:0868
- https://access.redhat.com/errata/RHSA-2023:3954
- https://bugzilla.redhat.com/show_bug.cgi?id=873317
Frequently Asked Questions
What is the severity of REDHAT-BUG-873317?
The severity of REDHAT-BUG-873317 is considered moderate due to potential issues with SSL/TLS certificate validation.
How do I fix REDHAT-BUG-873317?
To fix REDHAT-BUG-873317, update Apache Commons HttpClient to version 4.0 or later, which has addressed the vulnerability.
Which products are affected by REDHAT-BUG-873317?
REDHAT-BUG-873317 affects Apache Commons HttpClient version 3.x and Amazon Flexible Payments Service (FPS) merchant Java SDK.
What type of vulnerability is REDHAT-BUG-873317?
REDHAT-BUG-873317 is a vulnerability related to improper handling of SSL certificates in Apache Commons HttpClient.
Is there a workaround for REDHAT-BUG-873317?
A temporary workaround for REDHAT-BUG-873317 involves customizing the SSL configuration to enforce strict validation before making requests.
- agent/references
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5783
- agent/source
- agent/severity
- agent/description
- agent/event
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/apache
- canonical/httpclient
- vendor/amazon
- canonical/amazon flexible payments service