Input validation error in Axis - CVE-2012-5784

Detailed vulnerability description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to Apache Axis did not verify that the server host name matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. A remote attacker can pass specially crafted input to the application and spoof an SSL server if they had a certificate that was valid for any domain name.

How to mitigate CVE-2012-5784

Sources

• http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
• http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
• http://rhn.redhat.com/errata/RHSA-2013-0269.html
• http://rhn.redhat.com/errata/RHSA-2013-0683.html
• http://rhn.redhat.com/errata/RHSA-2014-0037.html
• http://secunia.com/advisories/51219
• http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
• http://www.securityfocus.com/bid/56408
• https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
• https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d@%3Cjava-dev.axis.apache.org%3E
• https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c@%3Cjava-dev.axis.apache.org%3E