Could you tell us exactly from where you heard about such SSL vulnerability please ?
Thanks ! On Wed, Aug 8, 2012 at 10:44 AM, Zhi Xie <daxie...@gmail.com> wrote: > I heard there is a SSL vulnerability about commons-httpclient-3.1. Is there > a fix on it or a solution? > > The vulnerability's description is below. > > Axis2 implemented in Java is vulnerable to > man-in-the-middle attacks. By extension, all applications using this > library to establish SSL connections with the target servers are > vulnerable. Affected applications leak all data sent over the network, > such as login credentials, bank account numbers, personal identifiable > information, etc. The vulnerability can be exposed in any network > topology in which a man-in-the-middle can be deployed. > > In depth analysis of Axis2 shows that the middleware uses the > commons-httpclient-3.1 library when establishing SSL connections with > target servers. Internally, commons-httpclient-3.1 uses raw sockets to > establish SSL connections. Per JSSE’s manual# raw sockets do not > verify the name of the target server against the name(s) in the > server’s SSL certificate. Since commons-httpclient-3.1 does not > provide its own hostname verifier to compensate for this omission, > this overhaul renders the framework and all applications built on top > of it insecure. > > -- > Best Regards > Gary > Apache Geronimo > -- Sagara Gunathunga Blog - http://ssagara.blogspot.com Web - http://people.apache.org/~sagara/ LinkedIn - http://www.linkedin.com/in/ssagara --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org
