CVE-2012-6153

Name of the Vulnerable Software and Affected Versions Apache Commons HttpClient versions prior to 4.2.3

Description The issue is related to insufficient verification of input data in the Apache Commons HttpClient library, part of Apache HttpComponents. This allows a remote attacker to spoof SSL servers using a specially crafted certificate. The problem arises because the server hostname is not properly checked against the domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. Specifically, the AbstractVerifier.java class does not correctly verify the server hostname when the common name is specified in a field other than the CN field.

Recommendations For versions prior to 4.2.3, update to version 4.2.3 or later to resolve the issue. As a temporary workaround, consider restricting the use of SSL connections to trusted servers with properly validated certificates. Avoid using the AbstractVerifier.java class until a patch is applied.