[Bug 69416] New: JavaMail SSL certificate validation not enforced in SMTP transmission

Mon, 28 Oct 2024 04:19:02 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=69416

            Bug ID: 69416
           Summary: JavaMail SSL certificate validation not enforced in
                    SMTP transmission
           Product: Ant
           Version: 1.10.15
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P2
         Component: Optional Tasks
          Assignee: notifications@ant.apache.org
          Reporter: sheha...@openrefactory.com
  Target Milestone: ---

### Overview
In the file
[MimeMailer.java](https://github.com/apache/ant/blob/rel/1.10.15/src/main/org/apache/tools/ant/taskdefs/email/MimeMailer.java#L168),
the MimeMailer class in Apache Ant's email task does not properly validate SSL
certificates during SMTP mail transmission, potentially allowing
man-in-the-middle attacks.

### Steps to Reproduce
This issue is identified through static analysis, so it cannot be directly
reproduced via runtime observation. However, if left unresolved, it could lead
to unpredictable behavior.

### Expected Results
The mail transmission should enforce proper SSL certificate validation and
hostname verification to prevent potential man-in-the-middle attacks. The code
should include explicit SSL security configurations.

### Build Date & Hardware
 - Apache Ant Version: 1.10.15
 - Java Version: OpenJDK-17
 - Platform: Linux

### Possible Fix
```
if (SSL) {
    // Enable SSL with proper certificate validation
    props.put("mail.smtp.ssl.enable", "true"); // Enable ssl
    props.put("mail.smtp.ssl.checkserveridentity", "true");  // Enable strict
hostname verification
    props.put("mail.smtp.socketFactory.class", SSL_FACTORY);
    props.put("mail.smtp.socketFactory.fallback", "false");
    props.put("mail.smtps.host", host);
    if (isPortExplicitlySpecified()) {
        props.put("mail.smtps.port", String.valueOf(port));
        props.put("mail.smtp.socketFactory.port", String.valueOf(port));
    }
}

// Rest of the existing code remains the same
if (user != null || password != null) {
    props.put("mail.smtp.auth", "true");
    auth = new SimpleAuthenticator(user, password);
}
if (isStartTLSEnabled()) {
    props.put("mail.smtp.starttls.enable", "true");
    props.put("mail.smtp.starttls.required", "true");  // Enforce STARTTLS
}
```

### Sponsorship and Support:
This work is done by the security researchers from OpenRefactory and is
supported by the [Open Source Security Foundation
(OpenSSF)](https://openssf.org/): [Project
Alpha-Omega](https://alpha-omega.dev/). Alpha-Omega is a project partnering
with open source software project maintainers to systematically find new,
as-yet-undiscovered vulnerabilities in open source code - and get them fixed –
to improve global software supply chain security.

The bug is found by running the Intelligent Code Repair (iCR) tool by
[OpenRefactory, Inc.](https://openrefactory.com/) and then manually triaging
the results.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Reply via email to