Apache Commons HttpClient CVE-2012-5783 SSL Certificate Validation Security Bypass Vulnerability

Apache Commons HttpClient is prone to a security-bypass vulnerability because the application fails to properly validate SSL certificates from the server.

Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks or impersonate trusted servers, which will aid in further attacks.

Apache Commons HttpClient 3.x versions are affected.

Information

Bugtraq ID: 58073
Class: Design Error
CVE: CVE-2012-5783

Remote: Yes
Local: No
Published: Oct 16 2012 12:00AM
Updated: Apr 17 2017 12:03AM
Credit: Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, Vitaly Shmatikov
Vulnerable: Ubuntu Ubuntu Linux 15.04
Ubuntu Ubuntu Linux 14.04 LTS
Ubuntu Ubuntu Linux 12.04 LTS
Redhat JBoss Web Framework Kit 2.1
Redhat JBoss Operations Network 3.1.2
Redhat JBoss Fuse 6.2
Redhat JBoss Enterprise Application Platform 5 EL6
Redhat JBoss Enterprise Application Platform 5 EL5
Redhat JBoss Enterprise Application Platform 5 EL4
Redhat JBoss BRMS 5.3.1
Redhat Enterprise Virtualization 3.3
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux HPC Node 6
Redhat Enterprise Linux Desktop Workstation 5 client
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux Desktop 6
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux 5 Server
Oracle Enterprise Linux 6.2
Oracle Enterprise Linux 6
IBM Development Package for Apache Spark 1.6.2.0
CentOS CentOS 5
Avaya one-X Client Enablement Service 6.1 SP2
Avaya one-X Client Enablement Service 6.1 Sp1
Apache Commons HttpClient 3.0

Not Vulnerable: Redhat JBoss Web Framework Kit 2.2
Redhat JBoss Operations Network 3.2.0
Redhat JBoss Fuse 6.3
Avaya one-X Client Enablement Service 6.1 SP3

Exploit

An attacker can use readily available network utilities to exploit this issue.

References:

• Apache Commons HttpClient Homepage (Apache Software Foundation)
  
• Moderate: JBoss Web Framework Kit 2.2.0 update (Red Hat)
  
• Validating SSL Certificates in Non-Browser Software (ACM)
  
• jakarta-commons-httpclient security update (RHSA-2013-0270) (Avaya)
  
• RHSA-2013-1853 Moderate: Red Hat JBoss Operations Network 3.2.0 update (Red Hat)
  
• RHSA-2013:0680-1: Moderate: jakarta-commons-httpclient security update (Red Hat)
  
• swg21989192: Vulnerability in legacy component distributed in IBM Development Pa (IBM)
  
• USN-2769-1: Apache Commons HttpClient vulnerabilities (Ubuntu)
  

Source: www.securityfocus.com