CVE-2012-6153
Improper Certificate Validation vulnerability in httpclient (Maven)
What is CVE-2012-6153 About?
This vulnerability in Apache Commons HttpClient allows man-in-the-middle (MITM) attackers to spoof SSL servers. It is caused by improper verification of server hostnames against X.509 certificate fields. The exploitation of this flaw is moderately difficult, requiring an attacker to be in a position to intercept network traffic.
Affected Software
Technical Details
The vulnerability resides in http/conn/ssl/AbstractVerifier.java of Apache Commons HttpClient before version 4.2.3. The software fails to properly verify that the server hostname matches a domain name specified within the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. Specifically, the fix for CVE-2012-5783 was incomplete, allowing a subject that specifies a common name in a field other than the CN field to bypass the hostname verification. This enables a man-in-the-middle attacker to present a specially crafted certificate with a deceptive subject field, leading the client to believe it is communicating with the legitimate server, thus enabling traffic interception and decryption.
What is the Impact of CVE-2012-6153?
Successful exploitation may allow attackers to spoof legitimate servers, intercept and decrypt sensitive communications, and potentially inject malicious content into user sessions.
What is the Exploitability of CVE-2012-6153?
Exploitation of this vulnerability requires a moderate level of technical skill, as an attacker needs to perform a man-in-the-middle attack, placing themselves between the client and the legitimate server. This often involves controlling the network path or compromising a network device. No specific authentication is required at the application level; the attack occurs at the network transport layer. The attacker requires remote access to the network segment where communication occurs. Prerequisites include generating a carefully crafted X.509 certificate that exploits the improper hostname verification logic. Risk factors include clients operating in untrusted network environments or applications that do not enforce strict certificate pinning.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2012-6153?
Available Upgrade Options
- org.apache.httpcomponents:httpclient
- <4.2.3 → Upgrade to 4.2.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://rhn.redhat.com/errata/RHSA-2015-0675.html
- http://rhn.redhat.com/errata/RHSA-2015-0158.html
- http://rhn.redhat.com/errata/RHSA-2014-1891.html
- http://svn.apache.org/viewvc?view=revision&revision=1411705
- http://rhn.redhat.com/errata/RHSA-2014-1892.html
- http://www.securityfocus.com/bid/69257
- http://rhn.redhat.com/errata/RHSA-2015-0765.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1129916
- http://rhn.redhat.com/errata/RHSA-2015-1888.html
- http://rhn.redhat.com/errata/RHSA-2014-1834.html
What are Similar Vulnerabilities to CVE-2012-6153?
Similar Vulnerabilities: CVE-2014-0091 , CVE-2017-1000185 , CVE-2019-9948 , CVE-2020-5398 , CVE-2021-41124
