I heard there is a SSL vulnerability about commons-httpclient-3.1. Is there a fix on it or a solution?
The vulnerability's description is below. Axis2 implemented in Java is vulnerable to man-in-the-middle attacks. By extension, all applications using this library to establish SSL connections with the target servers are vulnerable. Affected applications leak all data sent over the network, such as login credentials, bank account numbers, personal identifiable information, etc. The vulnerability can be exposed in any network topology in which a man-in-the-middle can be deployed. In depth analysis of Axis2 shows that the middleware uses the commons-httpclient-3.1 library when establishing SSL connections with target servers. Internally, commons-httpclient-3.1 uses raw sockets to establish SSL connections. Per JSSE’s manual# raw sockets do not verify the name of the target server against the name(s) in the server’s SSL certificate. Since commons-httpclient-3.1 does not provide its own hostname verifier to compensate for this omission, this overhaul renders the framework and all applications built on top of it insecure. -- Best Regards Gary Apache Geronimo
