CVE-2014-3596

Name of the Vulnerable Software and Affected Versions Apache Axis versions 1.4 and earlier

Description The issue arises from the getCN function not properly verifying that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. The problem exists due to an incomplete fix for a previous issue.

Recommendations For Apache Axis versions 1.4 and earlier, consider updating to a version that properly verifies the server hostname against the X.509 certificate's Common Name or subjectAltName field to prevent man-in-the-middle attacks. As a temporary workaround, consider restricting the use of SSL connections to trusted servers with properly validated certificates.