CVE-2014-3577 — MEDIUM (5.8)

Q: How severe is CVE-2014-3577?

CVE-2014-3577 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2014-3577?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Httpclient, Apache Httpasyncclient.

Vulnerability Description

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

CVSS Score

5.8

MEDIUM

AV:N/AC:M/Au:N/C:P/I:P/A:N

Confidentiality

PARTIAL

Integrity

PARTIAL

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Httpclient	>= 4.0, <= 4.3.4
Apache	Httpasyncclient	>= 4.0, <= 4.0.1

References

http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00032.html
http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00033.html
http://packetstormsecurity.com/files/127913/Apache-HttpComponents-Man-In-The-MidExploitThird Party AdvisoryVDB Entry
http://rhn.redhat.com/errata/RHSA-2014-1146.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1166.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1833.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1834.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1835.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1836.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1891.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2014-1892.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0125.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0158.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0675.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-0720.htmlThird Party Advisory

FAQ

What is CVE-2014-3577?

CVE-2014-3577 is a vulnerability with a CVSS score of 5.8 (MEDIUM). org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in t...

How severe is CVE-2014-3577?

CVE-2014-3577 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2014-3577?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Httpclient, Apache Httpasyncclient.