[jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596

Sat, 07 Sep 2019 13:26:07 -0700 


    [ 
https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924979#comment-16924979
 ] 

robert lazarski commented on AXIS-2905:
---------------------------------------

I looked more into this, after applying the patch here's the error:

[ERROR] Undefined reference: 
javax/naming/ldap/LdapName.getRdns()Ljava/util/List; in 
/home/robert/repos/aa/axis-project/axis-rt-core/target/classes/org/apache/axis/components/net/JSSESocketFactory.class

Which led me to believe that method is not on the classpath, however with JDK 8 
its there after all. The problem is with animal sniffer, which I have no doubt 
it is working as intended:

[ERROR] Failed to execute goal 
org.codehaus.mojo:animal-sniffer-maven-plugin:1.8:check (default) on project 
axis-rt-core: Signature errors found. Verify them and put @IgnoreJRERequirement 
on them. -> [Help 1]

Since this is a cert patch, the signature the error references is not about 
that but rather the API signature - LdapName is "Since 1.5" and the plugin 
seems to be blocking that reference for anything after 1.4. If I comment out 
that plugin in the root pom.xml it compiles fine. 

[~veithen] not sure if you are active on axis 1.x anymore ... do we really need 
to force JDK 1.4 source compatibility with animal sniffer at this point? 

 

 

 

 

> Insecure certificate validation CVE-2014-3596
> ---------------------------------------------
>
>                 Key: AXIS-2905
>                 URL: https://issues.apache.org/jira/browse/AXIS-2905
>             Project: Axis
>          Issue Type: Bug
>    Affects Versions: 1.4
>            Reporter: David Jorm
>            Priority: Major
>         Attachments: CVE-2014-3596.patch
>
>
> It was found that the fix for CVE-2012-5784 was incomplete. The code added to 
> check that the server hostname matches the domain name in the subject's CN 
> field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack 
> where the attacker can spoof a valid certificate using a specially crafted 
> subject.
> For more details, see:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596
> https://access.redhat.com/solutions/1164433



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org
For additional commands, e-mail: java-dev-h...@axis.apache.org

Reply via email to