Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-5784

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2012-5784
Last Modified 27 Jan 2014 11:48:58
Published 04 Nov 2012 05:55:03
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2012-5784

Summary

Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Vulnerable Systems

Application

  • Apache Activemq -

  • Apache Axis -

  • Apache Axis 1.0

  • Apache Axis 1.1

  • Apache Axis 1.2

  • Apache Axis 1.2.1

  • Apache Axis 1.3

  • Apache Axis 1.4

  • Paypal Mass Pay -

  • Paypal Payments Pro -

  • Paypal Transactional Information Soap -


References

MISC - http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

XF - apache-axis-ssl-spoofing(79829)

BID - 56408

SECUNIA - 51219

REDHAT - RHSA-2013:0269

REDHAT - RHSA-2013:0683

REDHAT - RHSA-2014:0037

Related Patches

Red Hat 2013:0683-01 RHSA Moderate: axis security update for RHEL 5 x86


Last Updated: 27 May 2016 11:01:22