CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack

[David Jorm <djorm () redhat com>]

Hi All

I noticed that the fix for CVE-2012-5784 was incomplete. The code added 
to check that the server hostname matches the domain name in the 
subject's CN field was flawed. This can be exploited by a 
Man-in-the-middle (MITM) attack where the attacker can spoof a valid 
certificate using a specially crafted subject.

Note that Axis 1 is EOL upstream, and the incomplete patch for 
CVE-2012-5784 was never merged upstream. It was, however, shipped by 
various vendors, including Debian and Red Hat. I do not believe Axis 2 
is affected.

The incomplete patch:

https://issues.apache.org/jira/secure/attachment/12560257/CVE-2012-5784-2.patch

Is attached to this issue:

https://issues.apache.org/jira/browse/AXIS-2883

The flaw exists in the getCN(String) method. An attacker could craft a 
subject that includes a CN in a field other than the CN, and this CN 
would be used when validating the hostname.

Since Axis 1 is EOL upstream, I have assigned CVE-2014-3596 to this 
issue from the Red Hat CNA. I have now made this issue public:

https://access.redhat.com/security/cve/CVE-2014-3596

An upstream bug, along with a proposed patch, is available here:

https://issues.apache.org/jira/browse/AXIS-2905

Thanks
--
David Jorm / Red Hat Product Security