CVE-2014-3596

Apache Axis <1.4 - Man-in-the-Middle

Title source: llm
STIX 2.1

Description

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

References (16)

Core 16
Core References
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2014/08/20/2
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/95377
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1030745
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/61222
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/69295
Various Sources x_refsource_confirm
http://linux.oracle.com/errata/ELSA-2014-1193.html
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-1193.html

Scores

EPSS 0.0118
EPSS Percentile 79.1%

Details

Status published
Products (8)
apache/axis 1.0 (4 CPE variants)
apache/axis 1.1 (4 CPE variants)
apache/axis 1.2 (8 CPE variants)
apache/axis 1.2.1
apache/axis 1.3
apache/axis < 1.4
axis/axis 0Maven
org.apache.axis/axis 0Maven
Published Aug 27, 2014
Tracked Since Feb 18, 2026