[ https://issues.apache.org/jira/browse/AXIS-2905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17462902#comment-17462902 ]
Robert Lazarski commented on AXIS-2905: --------------------------------------- For Axis2, users of 1.8.0 are definitely not affected. See AXIS2-6018. > Insecure certificate validation CVE-2014-3596 > --------------------------------------------- > > Key: AXIS-2905 > URL: https://issues.apache.org/jira/browse/AXIS-2905 > Project: Axis > Issue Type: Bug > Affects Versions: 1.4 > Reporter: David Jorm > Assignee: Robert Lazarski > Priority: Major > Attachments: CVE-2014-3596.patch > > > It was found that the fix for CVE-2012-5784 was incomplete. The code added to > check that the server hostname matches the domain name in the subject's CN > field was flawed. This can be exploited by a Man-in-the-middle (MITM) attack > where the attacker can spoof a valid certificate using a specially crafted > subject. > For more details, see: > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3596 > https://access.redhat.com/solutions/1164433 -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: java-dev-unsubscr...@axis.apache.org For additional commands, e-mail: java-dev-h...@axis.apache.org