Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack [SPR-12100] #16716

Closed
spring-projects-issues opened this issue Aug 19, 2014 · 1 comment
Assignees
Labels
in: web status: backported type: task
Milestone

Comments

@spring-projects-issues
Copy link
Collaborator

@spring-projects-issues spring-projects-issues commented Aug 19, 2014

JimK opened SPR-12100 and commented

Security Advisory - Apache Software Foundation
Apache HttpComponents / hc.apache.org

       Hostname verification susceptible to MITM attack

                   CVE-2014-3577 / CVSS 1.4

Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible
to a 'Man in the Middle Attack' due to a flaw in the default hostname
verification during SSL/TLS when a specially crafted server side
certificate is used.

Background


During an SSL connection (https) the client verifies the hostname in
the URL against the hostname as encoded in the servers certificate (CN,
subjectAlt fields). This is to ensure that the client connects to the
'real' server, as opposed to something in middle (man in the middle)
that may compromise end to end confidentiality and integrity.


Affects: 3.2.11, 4.0.6

Reference URL: http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

Referenced from: commits 5cd1e6a, fb452fa

Backported to: 4.0.7

@spring-projects-issues
Copy link
Collaborator Author

@spring-projects-issues spring-projects-issues commented Aug 19, 2014

Juergen Hoeller commented

Note that Spring just uses an optional version of Apache HttpComponents for compilation purposes and does not bring it into the application classpath itself. Instead, Spring users choose their own version of Apache HttpComponents, and this CVE suggests that they should be upgrading to 4.3.5 there.

That said, we're nevertheless upgrading our build to use HttpClient 4.3.5 / HttpAsyncClient 4.0.2 as of Spring 4.1 GA / 4.0.7. However, for backwards compatibility reasons, we are not going to upgrade our build beyond HttpComponents 4.2.x in the Spring 3.2.x line. Users are free to use HttpComponents 4.3.5 with Spring 3.2.x as well, of course.

Juergen

@spring-projects-issues spring-projects-issues added status: backported in: web type: task labels Jan 11, 2019
@spring-projects-issues spring-projects-issues added this to the 4.1 GA milestone Jan 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: web status: backported type: task
Projects
None yet
Development

No branches or pull requests

2 participants