Update Apache HttpComponents to 4.3.5 - CVE-2014-3577: Apache HttpComponents client: Hostname verification susceptible to MITM attack [SPR-12100]

[spring-projects-issues]

JimK opened SPR-12100 and commented

Security Advisory - Apache Software Foundation
Apache HttpComponents / hc.apache.org

       Hostname verification susceptible to MITM attack

                   CVE-2014-3577 / CVSS 1.4

Apache HttpComponents (prior to revision 4.3.5/4.0.2) may be susceptible
to a 'Man in the Middle Attack' due to a flaw in the default hostname
verification during SSL/TLS when a specially crafted server side
certificate is used.

Background

---

During an SSL connection (https) the client verifies the hostname in
the URL against the hostname as encoded in the servers certificate (CN,
subjectAlt fields). This is to ensure that the client connects to the
'real' server, as opposed to something in middle (man in the middle)
that may compromise end to end confidentiality and integrity.

---

Affects: 3.2.11, 4.0.6

Reference URL: http://mail-archives.apache.org/mod_mbox/www-announce/201408.mbox/CVE-2014-3577

Referenced from: commits 5cd1e6a, fb452fa

Backported to: 4.0.7

[spring-projects-issues]

Juergen Hoeller commented

Note that Spring just uses an optional version of Apache HttpComponents for compilation purposes and does not bring it into the application classpath itself. Instead, Spring users choose their own version of Apache HttpComponents, and this CVE suggests that they should be upgrading to 4.3.5 there.

That said, we're nevertheless upgrading our build to use HttpClient 4.3.5 / HttpAsyncClient 4.0.2 as of Spring 4.1 GA / 4.0.7. However, for backwards compatibility reasons, we are not going to upgrade our build beyond HttpComponents 4.2.x in the Spring 3.2.x line. Users are free to use HttpComponents 4.3.5 with Spring 3.2.x as well, of course.

Juergen