Is Apache HTTPclient 4.2.5 vulnerable to CVE-2014-3577?

Tue, 17 May 2016 07:43:25 -0700 


Hello HttpComponents Dev Team,

Our team is trying to figure out if Apache HTTPclient 4.2.5 is vulnerable
to CVE-2014-3577 (Apache HttpComponents certificate spoofing). I did not
see Apache HTTPclient 4.2.5 listed as a vulnerable version in the NIST
Vulnerability Database CVE article (
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3577), but wanted
to check with you in case that version has been missed from the list or is
actually ok to use (not vulnerable). The list of vulnerable versions in the
article are:

Vulnerable software and versions
+ Configuration 1
+ OR
cpe:/a:apache:httpasyncclient:4.0.1 and previous versions
cpe:/a:apache:httpasyncclient:4.0
cpe:/a:apache:httpasyncclient:4.0:beta4
cpe:/a:apache:httpasyncclient:4.0:beta3
cpe:/a:apache:httpasyncclient:4.0:beta2
cpe:/a:apache:httpasyncclient:4.0:beta1
cpe:/a:apache:httpasyncclient:4.0:alpha3
cpe:/a:apache:httpasyncclient:4.0:alpha2
cpe:/a:apache:httpasyncclient:4.0:alpha1
+ Configuration 2
+ OR
cpe:/a:apache:httpclient:4.3.4 and previous versions
cpe:/a:apache:httpclient:4.3.3
cpe:/a:apache:httpclient:4.3.2
cpe:/a:apache:httpclient:4.3.1
cpe:/a:apache:httpclient:4.3
cpe:/a:apache:httpclient:4.3:beta2
cpe:/a:apache:httpclient:4.3:beta1
cpe:/a:apache:httpclient:4.3:alpha1
cpe:/a:apache:httpclient:4.2.3
cpe:/a:apache:httpclient:4.2.2
cpe:/a:apache:httpclient:4.2.1
cpe:/a:apache:httpclient:4.2
cpe:/a:apache:httpclient:4.2:beta1
cpe:/a:apache:httpclient:4.2:alpha1
cpe:/a:apache:httpclient:4.1.2
cpe:/a:apache:httpclient:4.1.1
cpe:/a:apache:httpclient:4.1
cpe:/a:apache:httpclient:4.1:beta1
cpe:/a:apache:httpclient:4.1:alpha2
cpe:/a:apache:httpclient:4.1:alpha1
cpe:/a:apache:httpclient:4.0.1
cpe:/a:apache:httpclient:4.0
cpe:/a:apache:httpclient:4.0:beta2
cpe:/a:apache:httpclient:4.0:beta1
cpe:/a:apache:httpclient:4.0:alpha4
cpe:/a:apache:httpclient:4.0:alpha3
cpe:/a:apache:httpclient:4.0:alpha2
cpe:/a:apache:httpclient:4.0:alpha1

Thank you for your assistance.

Best regards,
                                                                      
                                                                      
                                                                      
 Miriam Celi                                                          
 Security Architect                                                   
 IBM Analytics - InfoSphere                                           
 Information Server                                                   
                                                                      
 E-mail: [email protected]                                             
 Phone: 561.702.9206                                                  
 (mobile)                                                             
                                                                      

      "Security is everyone's responsibility"

Reply via email to