CVE-2014-3603 - OpenCVE

The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Shibboleth	Identity Provider Opensaml Java

Configuration 1 [-]

cpe:2.3:a:shibboleth:identity_provider:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:shibboleth:opensaml_java:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://secunia.com/advisories/60816
http://shibboleth.net/community/advisories/secadv_20140813.txt
https://bugzilla.redhat.com/show_bug.cgi?id=1131823
https://nvd.nist.gov/vuln/detail/CVE-2014-3603
https://www.cve.org/CVERecord?id=CVE-2014-3603

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2019-04-04T13:38:16

Updated: 2024-08-06T10:50:17.020Z

Reserved: 2014-05-14T00:00:00

Link: CVE-2014-3603

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-04T14:29:00.240

Modified: 2019-04-08T13:22:04.397

Link: CVE-2014-3603

Redhat

Severity : Important

Publid Date: 2014-08-13T00:00:00Z

Links: CVE-2014-3603 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Identity Provider (IdP)", "vendor": "Shibboleth; OpenSAML Java", "versions": [{"status": "affected", "version": "< 2.4.1"}]}, {"product": "OpenSAML Java", "vendor": "Shibboleth; OpenSAML Java", "versions": [{"status": "affected", "version": "< 2.6.2"}]}], "datePublic": "2014-08-13T00:00:00", "descriptions": [{"lang": "en", "value": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-04T13:38:16", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "60816", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/60816"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-3603", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Identity Provider (IdP)", "version": {"version_data": [{"version_value": "< 2.4.1"}]}}, {"product_name": "OpenSAML Java", "version": {"version_data": [{"version_value": "< 2.6.2"}]}}]}, "vendor_name": "Shibboleth; OpenSAML Java"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "60816", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/60816"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"name": "http://shibboleth.net/community/advisories/secadv_20140813.txt", "refsource": "CONFIRM", "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:50:17.020Z"}, "title": "CVE Program Container", "references": [{"name": "60816", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/60816"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-3603", "datePublished": "2019-04-04T13:38:16", "dateReserved": "2014-05-14T00:00:00", "dateUpdated": "2024-08-06T10:50:17.020Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shibboleth:identity_provider:*:*:*:*:*:*:*:*", "matchCriteriaId": "2177E37A-0186-42E0-AE79-501FEA214B55", "versionEndExcluding": "2.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:shibboleth:opensaml_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CA3675A-CA2A-4D06-A32B-68D7ED42AD01", "versionEndExcluding": "2.6.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."}, {"lang": "es", "value": "Las implementaciones de (1) HttpResource y (2) FileBackedHttpResource en el Proveedor de Identidad (IdP) de Shibboleth, en versiones anteriores a la 2.4.1, y en OpenSAML Java, en su versi\u00f3n 2.6.2, no verifican que el nombre de host del servidor se corresponda con un nombre de dominio en el campo \"Common Name\" (CN) del asunto o en el campo \"subjectAltName\" del certificado X.509. Esto permite a los atacantes Man-in-the-Middle (MitM) suplantar los servidores SSL a trav\u00e9s de un certificado arbitrario v\u00e1lido."}], "id": "CVE-2014-3603", "lastModified": "2019-04-08T13:22:04.397", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-04T14:29:00.240", "references": [{"source": "secalert@redhat.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "http://secunia.com/advisories/60816"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://shibboleth.net/community/advisories/secadv_20140813.txt"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-297"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "Java: HTTPS Connections Via HTTP Resources Do Not Perform Hostname Verification", "id": "1131823", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1131823"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "draft"}, "cwe": "CWE-297", "details": ["The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate."], "name": "CVE-2014-3603", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:6", "fix_state": "Not affected", "package_name": "opensaml-java", "product_name": "Red Hat JBoss Data Grid 6"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Enterprise Application Platform 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-6", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-esb-4", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "fuse-esb-7", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Will not fix", "package_name": "fuse-sf-2", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5", "fix_state": "Will not fix", "package_name": "opensaml", "product_name": "Red Hat JBoss Portal 5"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:6", "fix_state": "Not affected", "package_name": "opensaml", "product_name": "Red Hat JBoss Portal 6"}], "public_date": "2014-08-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2014-3603\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-3603"], "statement": "This issue did not affect the versions of OpenSAML Java as shipped with Red Hat JBoss Data Virtualization 6, Red Hat JBoss Data Grid 6, Red Hat JBoss Enterprise Application Platform 5 and 6, Red Hat JBoss JBoss Operations Network 3, and Red Hat JBoss Portal 6. These products use a version of Jakarta Commons HttpClient that contains a fix for CVE-2012-5783.\nFuse ESB 4 and Fuse Services Framework 2.3 and 2.4 are now in a reduced support phase receiving only Critical impact security fixes. This issue has been rated as having Important security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Fuse Product Life Cycle: https://access.redhat.com/support/policy/updates/fusesource/", "threat_severity": "Important", "upstream_fix": "opensaml 2.6.2"}