CVE-2020-25680

Name of the Vulnerable Software and Affected Versions: JBCS httpd version 2.4.37 SP3

Description: A flaw was found in JBCS httpd where it uses a back-end worker SSL certificate with the keystore file's ID as 'unknown'. This causes the validation of the certificate to stop working, allowing the connection to the back-end work even when the CN and hostname do not match. The highest threat from this issue is to data integrity.

Recommendations: For version 2.4.37 SP3, consider disabling the use of back-end worker SSL certificates with the keystore file's ID as 'unknown' until a patch is available. Restrict access to the back-end work to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.