CVE-2012-5786

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 2.7.0

Description The issue arises from the wsdl first https sample code in Apache CXF, which fails to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This oversight allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. It is noted that the sample had specifically used a flag to bypass the DN check.

Recommendations For versions prior to 2.7.0, update to version 2.7.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of the wsdl first https sample code until a patch is available. Restrict access to SSL servers to minimize the risk of exploitation. Avoid using arbitrary valid certificates in the affected sample code until the issue is resolved.