AthenaXiao opened a new issue #4590:
URL: https://github.com/apache/cloudstack/issues/4590
<!--
Verify first that your issue/request is not already reported on GitHub.
Also test if the latest release and master branch are affected too.
Always add information AFTER of these HTML comments, but no need to delete
the comments.
-->
##### ISSUE TYPE
<!-- Pick one below and delete the rest -->
* bug report
##### SUMMARY
We found a security vulnerability. In file
[cloudstack/plugins/network-elements/palo-alto/src/main/java/com/cloud/network/utils/HttpClientWrapper.java](https://github.com/apache/cloudstack/blob/0f3f2a09370a18301db28ec3d28efe746b6437c9/plugins/network-elements/palo-alto/src/main/java/com/cloud/network/utils/HttpClientWrapper.java),
the customized HostnameVerfier allows all hostname to pass the verification
(at Line 76).
##### Security Impact:
Hostname Verification is required to verify the identity of the other party.
Bypassing it could allow man-in-the-middle attacks.
##### Useful Resources:
https://cwe.mitre.org/data/definitions/297.html
##### Solution we suggest:
Do not customize the HostnameVerifier or specify the verification logic
instead of allowing all hostnames.
##### Please share with us your opinions/comments if there is any:
Is the bug report helpful?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
