CVE-2020-26234

Name of the Vulnerable Software and Affected Versions Opencast versions prior to 7.9 Opencast versions prior to 8.9

Description The issue concerns Opencast's HTTP client, which disables HTTPS hostname verification for a large portion of its HTTP requests. Hostname verification is crucial when using HTTPS to ensure the presented certificate is valid for the host. Disabling it can allow for man-in-the-middle attacks. This problem is fixed in Opencast 7.9 and Opencast 8.9. After fixing the problem, Opencast will no longer accept self-signed certificates without properly importing them into the Java key store.

Recommendations For Opencast versions prior to 7.9, update to Opencast 7.9 or later to fix the issue. For Opencast versions prior to 8.9, update to Opencast 8.9 or later to fix the issue. As a general mitigation measure, consider importing self-signed certificates into the Java key store or obtaining a valid certificate to ensure secure communication.