CVE-2012-5783
Man-in-the-Middle (MITM) vulnerability in commons-httpclient (Maven)
What is CVE-2012-5783 About?
Apache Commons HttpClient 3.x fails to verify that the server hostname matches the domain name in an X.509 certificate, making it vulnerable to man-in-the-middle attacks. This allows attackers to spoof SSL servers using any valid certificate. The ease of exploitation is moderate, as it requires an attacker to intercept traffic and possess a valid, albeit arbitrary, certificate.
Affected Software
Technical Details
Apache Commons HttpClient 3.x, commonly used in applications such as the Amazon Flexible Payments Service (FPS) merchant Java SDK, suffers from a critical vulnerability where it does not perform proper hostname verification against X.509 certificates. Specifically, it does not confirm that the hostname of the server it is communicating with matches the Common Name (CN) or subjectAltName field within the server's SSL certificate. This oversight allows a man-in-the-middle attacker to present any valid X.509 certificate (even if issued for a different domain) to the client. Since the client does not validate the hostname match, it proceeds with the SSL/TLS handshake, allowing the attacker to decrypt and re-encrypt traffic, effectively impersonating the legitimate server and intercepting all communications.
What is the Impact of CVE-2012-5783?
Successful exploitation may allow attackers to intercept and decrypt sensitive communications, impersonate legitimate servers, or compromise data confidentiality and integrity.
What is the Exploitability of CVE-2012-5783?
Exploiting this vulnerability has a moderate complexity, as it requires the attacker to be in a man-in-the-middle position relative to the client and server. No authentication is required against the vulnerable HttpClient itself, but the attacker needs to control network routing or DNS to intercept traffic. This is a remote attack. The main prerequisites are the ability to intercept network traffic and to acquire an arbitrary valid X.509 certificate from a trusted Certificate Authority, which can be for any domain. The vulnerability is heightened by the fact that many applications might use this outdated library without the developer's explicit knowledge of its hostname verification shortcomings.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2012-5783?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
- http://www.securityfocus.com/bid/58073
- http://rhn.redhat.com/errata/RHSA-2013-0681.html
- http://rhn.redhat.com/errata/RHSA-2014-0224.html
- https://osv.dev/vulnerability/GHSA-3832-9276-x7gf
- http://rhn.redhat.com/errata/RHSA-2013-1853.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
- http://rhn.redhat.com/errata/RHSA-2013-1147.html
- http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html
What are Similar Vulnerabilities to CVE-2012-5783?
Similar Vulnerabilities: CVE-2014-0062 , CVE-2014-0063 , CVE-2014-0064 , CVE-2014-0065 , CVE-2014-0066
