First published: Wed Aug 20 2014(Updated: )
Thermostat is a monitoring and instrumentation tool for the OpenJDK HotSpot<br>Java Virtual Machine (JVM) with support for monitoring multiple<br>JVM instances.<br>The httpcomponents-client package provides an HTTP agent implementation<br>that is used by Thermostat to visualize collected data in an HTTP-aware<br>client application.<br>It was found that the fix for CVE-2012-6153 was incomplete: the code added<br>to check that the server hostname matches the domain name in a subject's<br>Common Name (CN) field in X.509 certificates was flawed.<br>A man-in-the-middle attacker could use this flaw to spoof an SSL server<br>using a specially crafted X.509 certificate. (CVE-2014-3577)<br>For additional information on this flaw, refer to the Knowledgebase<br>article in the References section.<br>All thermostat1-httpcomponents-client users are advised to upgrade to these<br>updated packages, which contain a backported patch to correct this issue.<br>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/thermostat1-httpcomponents-client | <4.2.5-3.4.el6.1 | 4.2.5-3.4.el6.1 |
redhat/thermostat1-httpcomponents-client | <4.2.5-3.4.el6.1 | 4.2.5-3.4.el6.1 |
redhat/thermostat1-httpcomponents-client-javadoc | <4.2.5-3.4.el6.1 | 4.2.5-3.4.el6.1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.