Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2014-3596

Disclosure Date: August 27, 2014
CVE-2014-3596
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • apache

Products

  • axis,
  • axis 1.0,
  • axis 1.1,
  • axis 1.2,
  • axis 1.2.1,
  • axis 1.3

References

Canonical
CVE-2014-3596 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3596)
BID-69295 (http://www.securityfocus.com/bid/69295)
Advisory
[oss-security] 20140820 CVE-2014-3596 - Apache Axis 1 vulnerable to MITM attack (http://www.openwall.com/lists/oss-security/2014/08/20/2)
XF-apache-axis-cve20143596-spoofing(95377) (https://exchange.xforce.ibmcloud.com/vulnerabilities/95377)
SECTRACK-1030745 (http://www.securitytracker.com/id/1030745)
SECUNIA-61222 (http://secunia.com/advisories/61222)
http://rhn.redhat.com/errata/RHSA-2014-1193.html
http://linux.oracle.com/errata/ELSA-2014-1193.html
[axis-java-dev] 20190503 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 (https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5@%3Cjava-dev.axis.apache.org%3E)
[axis-java-dev] 20190503 [jira] [Comment Edited] (AXIS-2905) Insecure certificate validation CVE-2014-3596 (https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c@%3Cjava-dev.axis.apache.org%3E)
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
[axis-java-dev] 20190907 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 (https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832@%3Cjava-dev.axis.apache.org%3E)
[axis-java-dev] 20190909 [jira] [Resolved] (AXIS-2905) Insecure certificate validation CVE-2014-3596 (https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d@%3Cjava-dev.axis.apache.org%3E)
[axis-java-dev] 20190909 [jira] [Commented] (AXIS-2905) Insecure certificate validation CVE-2014-3596 (https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780@%3Cjava-dev.axis.apache.org%3E)
Miscellaneous
https://issues.apache.org/jira/browse/AXIS-2905
https://www.oracle.com/security-alerts/cpujan2020.html
https://access.redhat.com/errata/RHSA-2014:1193
https://access.redhat.com/errata/RHSA-2015:1010
https://access.redhat.com/security/cve/CVE-2014-3596
https://bugzilla.redhat.com/show_bug.cgi?id=1129935
https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis