Vigil@nce - HttpClient: man in the middle of SSL
October 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man in the middle in the SSL/TLS session
of HttpClient, in order to capture sensitive information.
– Impacted products: Apache HttpClient
– Severity: 2/4
– Creation date: 08/10/2013
DESCRIPTION OF THE VULNERABILITY
An HttpClient instance can use the X509HostnameVerifier interface
to define methods to verify the domain name associated to a
SSL/TLS server.
However, in version 4.3, if users do not define their own methods,
HttpClient does not check the domain name.
An attacker can therefore act as a Man in the middle in the
SSL/TLS session of HttpClient, in order to capture sensitive
information.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/HttpClient-man-in-the-middle-of-SSL-13544