Executive Summary

Informations
Name MDVSA-2014:170 First vendor Publication 2014-09-02
Vendor Mandriva Last vendor Modification 2014-09-02
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Updated jakarta-commons-httpclient and httpcomponents-client packages fix security vulnerability:

The Jakarta Commons HttpClient and Apache httpcomponents HttpClient components may be susceptible to a 'Man in the Middle Attack' due to a flaw in the default hostname verification during SSL/TLS when a specially crafted server side certificate is used (CVE-2012-6153).

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2014:170

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26509
 
Oval ID: oval:org.mitre.oval:def:26509
Title: ELSA-2014-1146 -- httpcomponents-client security update (Important)
Description: HttpClient is an HTTP/1.1 compliant HTTP agent implementation based on httpcomponents HttpCore. It was discovered that the HttpClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
Family: unix Class: patch
Reference(s): ELSA-2014-1146
CVE-2014-3577
CVE-2012-6153
Version: 3
Platform(s): Oracle Linux 7
Product(s): httpcomponents-client
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27050
 
Oval ID: oval:org.mitre.oval:def:27050
Title: ELSA-2014-1166 -- jakarta-commons-httpclient security update (Important)
Description: Jakarta Commons HTTPClient implements the client side of HTTP standards. It was discovered that the HTTPClient incorrectly extracted host name from an X.509 certificate subject's Common Name (CN) field. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577) For additional information on this flaw, refer to the Knowledgebase article in the References section. All jakarta-commons-httpclient users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
Family: unix Class: patch
Reference(s): ELSA-2014-1166
CVE-2014-3577
CVE-2012-6153
Version: 5
Platform(s): Oracle Linux 7
Oracle Linux 6
Oracle Linux 5
Product(s): jakarta-commons-httpclient
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 11

Nessus® Vulnerability Scanner

Date Description
2016-10-31 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_ac18046c9b0811e68011005056925db4.nasl - Type : ACT_GATHER_INFO
2015-10-15 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2769-1.nasl - Type : ACT_GATHER_INFO
2015-09-01 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-0158.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote Debian host is missing a security update.
File : debian_DLA-222.nasl - Type : ACT_GATHER_INFO
2015-04-17 Name : The remote Windows host has web portal software installed that is affected by...
File : websphere_portal_8_0_0_1_cf15.nasl - Type : ACT_GATHER_INFO
2014-12-22 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-2019.nasl - Type : ACT_GATHER_INFO
2014-11-12 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-1834.nasl - Type : ACT_GATHER_INFO
2014-11-12 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-1833.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1098.nasl - Type : ACT_GATHER_INFO
2014-10-12 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-410.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1321.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1320.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-170.nasl - Type : ACT_GATHER_INFO
2014-09-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1162.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9629.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9617.nasl - Type : ACT_GATHER_INFO
2014-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9539.nasl - Type : ACT_GATHER_INFO
2014-08-27 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9581.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-09-13 13:43:11
  • Multiple Updates
2014-09-05 05:25:45
  • Multiple Updates
2014-09-04 21:27:16
  • Multiple Updates
2014-09-02 17:21:48
  • First insertion