CVE-2012-5783¶
WSO2 Products impacted: no
Customer action required: no
REPORTED VULNERABILITY¶
Apache Commons HttpClient 3.x (as used in the affected component version 3.1.0) does not verify that the server hostname matches the Common Name (CN) or Subject Alternative Name (subjectAltName) in the server's X.509 certificate. This allows a man-in-the-middle attacker to spoof a trusted host by presenting an arbitrary valid certificate.1
REPORTED PRODUCTS¶
- WSO2 API Manager : 3.1.0, 3.2.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0
WSO2 JUSTIFICATION¶
WSO2 API Manager ships with a WSO2-maintained fork of Apache Commons HttpClient instead of the upstream 3.1.0 release. In this fork, SSL server hostname verification has been implemented to address the missing hostname validation described in CVE-2012-5783. This fix is available from commons-httpclient_3.1.0.wso2v3 onwards.2
Therefore, commons-httpclient_3.1.0.wso2v3 and all subsequent versions of the WSO2-maintained fork are not affected by this vulnerability.
CONCLUSION¶
- WSO2 products use a WSO2-maintained fork of Apache Commons HttpClient in which SSL server hostname verification has been implemented.
Therefore, WSO2 concludes that this vulnerability is already mitigated in the aforementioned WSO2 products, and a dependency upgrade will not be carried out solely based on the detection of CVE-2012-5783.