{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2012-11-20T00:00:00", "descriptions": [{"lang": "en", "value": "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-01-04T19:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "RHSA-2014:1891", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html"}, {"name": "RHSA-2015:0765", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://access.redhat.com/solutions/1165533"}, {"name": "RHSA-2015:0675", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "RHSA-2014:1098", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1098.html"}, {"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "RHSA-2015:1888", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"name": "RHSA-2014:1833", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html"}, {"name": "RHSA-2015:0850", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"name": "RHSA-2015:0158", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html"}, {"name": "RHSA-2014:1834", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1411705"}, {"name": "RHSA-2015:0125", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916"}, {"name": "RHSA-2014:1892", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html"}, {"name": "RHSA-2015:0851", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564"}, {"name": "RHSA-2014:1835", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html"}, {"name": "69257", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/69257"}, {"name": "USN-2769-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2769-1"}, {"name": "RHSA-2014:1836", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2012-6153", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "RHSA-2014:1891", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html"}, {"name": "RHSA-2015:0765", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"name": "https://access.redhat.com/solutions/1165533", "refsource": "CONFIRM", "url": "https://access.redhat.com/solutions/1165533"}, {"name": "RHSA-2015:0675", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "RHSA-2014:1098", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1098.html"}, {"name": "RHSA-2015:0720", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "RHSA-2015:1888", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"name": "RHSA-2014:1833", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html"}, {"name": "RHSA-2015:0850", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"name": "RHSA-2015:0158", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html"}, {"name": "RHSA-2014:1834", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html"}, {"name": "http://svn.apache.org/viewvc?view=revision&revision=1411705", "refsource": "CONFIRM", "url": "http://svn.apache.org/viewvc?view=revision&revision=1411705"}, {"name": "RHSA-2015:0125", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916"}, {"name": "RHSA-2014:1892", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html"}, {"name": "RHSA-2015:0851", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"name": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564", "refsource": "CONFIRM", "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564"}, {"name": "RHSA-2014:1835", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html"}, {"name": "69257", "refsource": "BID", "url": "http://www.securityfocus.com/bid/69257"}, {"name": "USN-2769-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2769-1"}, {"name": "RHSA-2014:1836", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T21:28:39.315Z"}, "title": "CVE Program Container", "references": [{"name": "RHSA-2014:1891", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html"}, {"name": "RHSA-2015:0765", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://access.redhat.com/solutions/1165533"}, {"name": "RHSA-2015:0675", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"name": "RHSA-2014:1098", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1098.html"}, {"name": "RHSA-2015:0720", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"name": "RHSA-2015:1888", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"name": "RHSA-2014:1833", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html"}, {"name": "RHSA-2015:0850", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"name": "RHSA-2015:0158", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html"}, {"name": "RHSA-2014:1834", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1411705"}, {"name": "RHSA-2015:0125", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916"}, {"name": "RHSA-2014:1892", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html"}, {"name": "RHSA-2015:0851", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564"}, {"name": "RHSA-2014:1835", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html"}, {"name": "69257", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/69257"}, {"name": "USN-2769-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2769-1"}, {"name": "RHSA-2014:1836", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2012-6153", "datePublished": "2014-09-04T17:00:00", "dateReserved": "2012-12-06T00:00:00", "dateUpdated": "2024-08-06T21:28:39.315Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:commons-httpclient:*:*:*:*:*:*:*:*", "matchCriteriaId": "36F6B21F-6444-4DEA-8AB4-827819242AF0", "versionEndIncluding": "4.2.2", "versionStartIncluding": "4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783."}, {"lang": "es", "value": "http/conn/ssl/AbstractVerifier.java en Apache Commons HttpClient anterior a 4.2.3 no verifica debidamente que el nombre del servidor coincide con un nombre de dominio en el campo del asunto Common Name (CN) o subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle falsificar servidores SSL a trav\u00e9s de un certificado con un asunto que especifica un nombre com\u00fan en un campo que no es el campo CN. NOTA: este problema existe debido a una soluci\u00f3n incompleta para CVE-2012-5783."}], "id": "CVE-2012-6153", "lastModified": "2018-01-05T02:29:33.070", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2014-09-04T17:55:04.623", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1098.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1833.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1834.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1835.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1836.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1891.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2014-1892.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0125.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0158.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0675.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0720.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0765.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0850.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://rhn.redhat.com/errata/RHSA-2015-0851.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2015-1888.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1411705"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/69257"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2769-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/solutions/1165533"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05103564"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Florian Weimer (Red Hat Product Security).", "affected_release": [{"advisory": "RHSA-2014:1320", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package": "jakarta-commons-httpclient-1:3.1-4_patch_02.ep5.el5", "product_name": "JBEWP 5 for RHEL 5", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1320", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package": "jboss-seam2-0:2.2.6.EAP5-22_patch_01.ep5.el5", "product_name": "JBEWP 5 for RHEL 5", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1833", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package": "apache-cxf-0:2.2.12-14.patch_09.ep5.el5", "product_name": "JBEWP 5 for RHEL 5", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2014:1320", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package": "jakarta-commons-httpclient-1:3.1-4_patch_02.el6_5", "product_name": "JBEWP 5 for RHEL 6", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1320", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package": "jboss-seam2-0:2.2.6.EAP5-22_patch_01.el6", "product_name": "JBEWP 5 for RHEL 6", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1833", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package": "apache-cxf-0:2.2.12-14.patch_09.el6", "product_name": "JBEWP 5 for RHEL 6", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2014:1098", "cpe": "cpe:/a:redhat:developer_toolset:2.1::el6", "package": "devtoolset-2-httpcomponents-client-0:4.2.1-6.el6", "product_name": "Red Hat Developer Toolset 2.1 for RHEL 6", "release_date": "2014-08-26T00:00:00Z"}, {"advisory": "RHSA-2014:1892", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2014-11-24T00:00:00Z"}, {"advisory": "RHSA-2015:0234", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "httpclient", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0851", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "cxf", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-04-16T00:00:00Z"}, {"advisory": "RHSA-2015:0851", "cpe": "cpe:/a:redhat:jboss_bpms:6.0", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss BPMS 6.0", "release_date": "2015-04-16T00:00:00Z"}, {"advisory": "RHSA-2014:1891", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2014-11-24T00:00:00Z"}, {"advisory": "RHSA-2015:0235", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "httpclient", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-02-17T00:00:00Z"}, {"advisory": "RHSA-2015:0850", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "cxf", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-04-16T00:00:00Z"}, {"advisory": "RHSA-2015:0850", "cpe": "cpe:/a:redhat:jboss_brms:6.0", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss BRMS 6.0", "release_date": "2015-04-16T00:00:00Z"}, {"advisory": "RHSA-2015:0765", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.0", "package": "httpclient", "product_name": "Red Hat JBoss Data Virtualization 6.0", "release_date": "2015-03-31T00:00:00Z"}, {"advisory": "RHSA-2015:0675", "cpe": "cpe:/a:redhat:jboss_data_virtualization:6.1", "product_name": "Red Hat JBoss Data Virtualization 6.1", "release_date": "2015-03-11T00:00:00Z"}, {"advisory": "RHSA-2014:1323", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0", "package": "httpclient", "product_name": "Red Hat JBoss Enterprise Application Platform 5.2", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1323", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Enterprise Application Platform 5.2", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1836", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.2.0", "product_name": "Red Hat JBoss Enterprise Application Platform 5.2", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2014:1321", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package": "jakarta-commons-httpclient-1:3.1-4_patch_02.ep5.el4", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1321", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package": "jboss-seam2-0:2.2.6.EAP5-22_patch_01.ep5.el4", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1834", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package": "apache-cxf-0:2.2.12-14.patch_09.ep5.el4", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2014:1321", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package": "jakarta-commons-httpclient-1:3.1-4_patch_02.ep5.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1321", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package": "jboss-seam2-0:2.2.6.EAP5-22_patch_01.ep5.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1834", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package": "apache-cxf-0:2.2.12-14.patch_09.ep5.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2014:1321", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package": "jakarta-commons-httpclient-1:3.1-4_patch_02.el6_5", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1321", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package": "jboss-seam2-0:2.2.6.EAP5-22_patch_01.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1834", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package": "apache-cxf-0:2.2.12-14.patch_09.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2014:1163", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.3", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3", "release_date": "2014-09-04T00:00:00Z"}, {"advisory": "RHSA-2014:2020", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6.3", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2014:1162", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el5", "package": "httpcomponents-eap6-0:6-12.redhat_2.1.ep6.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5", "release_date": "2014-09-04T00:00:00Z"}, {"advisory": "RHSA-2014:2019", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el5", "package": "apache-cxf-0:2.7.12-1.SP1_redhat_5.1.ep6.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2014:2019", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el5", "package": "wss4j-0:1.6.16-2.redhat_3.1.ep6.el5", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 5", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2014:1162", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package": "httpcomponents-eap6-0:6-12.redhat_2.1.ep6.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6", "release_date": "2014-09-04T00:00:00Z"}, {"advisory": "RHSA-2014:2019", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package": "apache-cxf-0:2.7.12-1.SP1_redhat_5.1.ep6.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2014:2019", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el6", "package": "wss4j-0:1.6.16-2.redhat_3.1.ep6.el6", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 6", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2014:1162", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package": "httpcomponents-eap6-0:6-12.redhat_2.1.ep6.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7", "release_date": "2014-09-04T00:00:00Z"}, {"advisory": "RHSA-2014:2019", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package": "apache-cxf-0:2.7.12-1.SP1_redhat_5.1.ep6.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2014:2019", "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6::el7", "package": "wss4j-0:1.6.16-2.redhat_3.1.ep6.el7", "product_name": "Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7", "release_date": "2014-12-18T00:00:00Z"}, {"advisory": "RHSA-2015:0720", "cpe": "cpe:/a:redhat:jboss_fuse_service_works:6.0", "package": "httpclient", "product_name": "Red Hat JBoss Fuse Service Works 6.0", "release_date": "2015-03-24T00:00:00Z"}, {"advisory": "RHSA-2014:1904", "cpe": "cpe:/a:redhat:jboss_operations_network:3.3", "package": "httpclient", "product_name": "Red Hat JBoss Operations Network 3.3", "release_date": "2014-11-25T00:00:00Z"}, {"advisory": "RHSA-2014:1904", "cpe": "cpe:/a:redhat:jboss_operations_network:3.3", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Operations Network 3.3", "release_date": "2014-11-25T00:00:00Z"}, {"advisory": "RHSA-2015:1009", "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6.2", "package": "httpclient", "product_name": "Red Hat JBoss Portal 6.2", "release_date": "2015-05-14T00:00:00Z"}, {"advisory": "RHSA-2015:1888", "cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5.3", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss SOA Platform 5.3", "release_date": "2015-10-12T00:00:00Z"}, {"advisory": "RHSA-2015:0125", "cpe": "cpe:/a:redhat:jboss_enterprise_web_framework:2.7.0", "package": "httpclient", "product_name": "Red Hat JBoss Web Framework Kit 2.7", "release_date": "2015-02-04T00:00:00Z"}, {"advisory": "RHSA-2014:1322", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0", "package": "httpclient", "product_name": "Red Hat JBoss Web Platform 5.2", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1322", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0", "package": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Web Platform 5.2", "release_date": "2014-09-29T00:00:00Z"}, {"advisory": "RHSA-2014:1835", "cpe": "cpe:/a:redhat:jboss_enterprise_web_platform:5.2.0", "product_name": "Red Hat JBoss Web Platform 5.2", "release_date": "2014-11-10T00:00:00Z"}, {"advisory": "RHSA-2015:0158", "cpe": "cpe:/a:redhat:rhev_manager:3", "package": "org.ovirt.engine-root-0:3.5.0-29", "product_name": "RHEV Manager version 3.5", "release_date": "2015-02-11T00:00:00Z"}], "bugzilla": {"description": "CXF: SSL hostname verification bypass, incomplete CVE-2012-5783 fix", "id": "1129916", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1129916"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "verified"}, "cwe": "CWE-297", "details": ["http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.", "It was found that the fix for CVE-2012-5783 was incomplete: the code added to check that the server host name matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate."], "name": "CVE-2012-6153", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Will not fix", "package_name": "jakarta-commons-httpclient", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Not affected", "package_name": "wagon-http", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:developer_toolset:2.1", "fix_state": "Will not fix", "package_name": "httpcomponents-client", "product_name": "Red Hat Developer Toolset 2.1"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "httpcomponents-client", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Affected", "package_name": "redhat-support-plugin-rhev", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:enterprise_linux:7::hypervisor", "fix_state": "Affected", "package_name": "rhevm-dependencies", "product_name": "Red Hat Enterprise Virtualization 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "httpclient", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:5", "fix_state": "Will not fix", "package_name": "modeshape-client", "product_name": "Red Hat JBoss BRMS 5"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Affected", "package_name": "httpclient", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Fix deferred", "package_name": "modeshape-client", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4", "fix_state": "Will not fix", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Enterprise Application Platform 4"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Fix deferred", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "amq-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "ewp-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fsf-2", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-esb-4", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-esb-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-mq-5.4", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-mq-5.5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Affected", "package_name": "fuse-mq-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Fix deferred", "package_name": "jds-5", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Fix deferred", "package_name": "jds-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Fix deferred", "package_name": "jds-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Affected", "package_name": "httpclient", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Affected", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss Portal 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:4.3", "fix_state": "Will not fix", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat JBoss SOA Platform 4.3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Affected", "package_name": "cxf", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_soa_platform:5", "fix_state": "Affected", "package_name": "httpclient", "product_name": "Red Hat JBoss SOA Platform 5"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "httpclient", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Affected", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:openshift:2", "fix_state": "Not affected", "package_name": "wagon-http", "product_name": "Red Hat OpenShift Enterprise 2"}, {"cpe": "cpe:/a:redhat:network_satellite:5", "fix_state": "Affected", "package_name": "jakarta-commons-httpclient", "product_name": "Red Hat Satellite 5"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Affected", "package_name": "httpcomponents-client", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "maven30-httpcomponents-client", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "maven30-jakarta-commons-httpclient", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Not affected", "package_name": "thermostat1-httpcomponents-client", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:storage:2.1", "fix_state": "Will not fix", "package_name": "rhevm-dependencies", "product_name": "Red Hat Storage 2.1"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "rhevm-dependencies", "product_name": "Red Hat Storage 3.0"}], "public_date": "2014-08-14T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2012-6153\nhttps://nvd.nist.gov/vuln/detail/CVE-2012-6153"], "statement": "Additional information can be found in the Red Hat Knowledgebase article: https://access.redhat.com/solutions/1165533\nThis issue affects the versions of HttpComponents Client and ModeShape Client as shipped with Red Hat JBoss Data Virtualization 6. However, this flaw is not known to be exploitable under any supported scenario in Red Hat JBoss Data Virtualization 6. A future update may address this issue.\nThis issue did not affect the jakarta-commons-httpclient packages as shipped with Red Hat Enterprise Linux 5, 6, and 7, and httpcomponents-client packages as shipped with Red Hat Enterprise Linux 7.\nRed Hat JBoss Enterprise Application Platform 4, Red Hat JBoss SOA Platform 4, and Red Hat JBoss Web Server 1 are now in Phase 3, Extended Life Support, of their respective life cycles. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat JBoss Middleware and Red Hat JBoss Operations Network Product Update and Support Policy: https://access.redhat.com/support/policy/updates/jboss_notes/\nFuse ESB 4, Fuse Message Broker 5.2, 5.3, 5.4 and Fuse Services Framework 2.3, 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", "threat_severity": "Important", "upstream_fix": "httpcomponents-client 4.2.3"}