CVE-2014-3604
Certificates vulnerability in not-yet-commons-ssl (Maven)
What is CVE-2014-3604 About?
This vulnerability in Not Yet Commons SSL's Certificates.java prevents proper verification of server hostname against the X.509 certificate's Common Name. This flaw can lead to man-in-the-middle attacks where attackers can spoof SSL servers using any valid certificate. Exploitation is relatively easy as it leverages a common misconfiguration in certificate validation.
Affected Software
Technical Details
The Certificates.java component in Not Yet Commons SSL versions prior to 0.3.15 fails to adequately compare the hostname presented by an SSL server with the domain name specified in the Common Name (CN) field of its X.509 certificate. Consequently, an attacker can obtain a legitimate, valid SSL certificate for any domain they control. During an SSL/TLS handshake with a vulnerable client, the attacker can then present this arbitrary valid certificate. Because the client software does not properly enforce hostname verification against the certificate's CN, it trusts the forged server, allowing the attacker to intercept, view, or modify communications in a man-in-the-middle scenario without triggering certificate warnings or errors. This bypasses a critical security control designed to prevent domain impersonation.
What is the Impact of CVE-2014-3604?
Successful exploitation may allow attackers to intercept, read, and modify encrypted communications, impersonate legitimate servers, and potentially harvest sensitive information.
What is the Exploitability of CVE-2014-3604?
Exploitation of this vulnerability is of moderate complexity, primarily involving network-level manipulation to intercept traffic. It requires no authentication or specific user privileges on the target system; only network access to the communication path between the vulnerable client and its intended server is needed. The attack is remote, making it broadly accessible. A key prerequisite is the ability to position oneself as a man-in-the-middle, often achievable via ARP spoofing, DNS poisoning, or compromised network infrastructure. The attacker also needs an arbitrary valid SSL certificate, which can be acquired for any domain. The likelihood of exploitation increases in environments with weak network security or where clients frequently connect to untrusted networks.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2014-3604?
Available Upgrade Options
- ca.juliusdavies:not-yet-commons-ssl
- <0.3.15 → Upgrade to 0.3.15
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=1131803
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97659
- http://rhn.redhat.com/errata/RHSA-2015-1888.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97659
- https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml
- http://juliusdavies.ca/svn/viewvc.cgi/not-yet-commons-ssl?view=rev&revision=172
- https://osv.dev/vulnerability/GHSA-cmxj-wx9v-52qr
- https://nvd.nist.gov/vuln/detail/CVE-2014-3604
- https://bugzilla.redhat.com/show_bug.cgi?id=1131803
- https://github.com/victims/victims-cve-db/blob/master/database/java/2014/3604.yaml
What are Similar Vulnerabilities to CVE-2014-3604?
Similar Vulnerabilities: CVE-2017-1000000 , CVE-2016-10705 , CVE-2015-0205 , CVE-2014-6593 , CVE-2011-3389
