CVE-2014-3577

Name of the Vulnerable Software and Affected Versions Apache HttpComponents HttpClient versions prior to 4.3.5 Apache HttpComponents HttpAsyncClient versions prior to 4.0.2

Description The issue is related to improper verification of SSL/TLS certificate authentication in the Apache HttpClient client module of Apache HttpComponents. This could allow a remote attacker to spoof SSL servers by modifying the content in the distinguished name (DN) field. Specifically, the AbstractVerifier in Apache HttpComponents HttpClient does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate.

Recommendations For Apache HttpComponents HttpClient versions prior to 4.3.5, update to version 4.3.5 or later to resolve the issue. For Apache HttpComponents HttpAsyncClient versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the AbstractVerifier class until a patch is available.