CVE-2014-3603
https://notcve.org/view.php?id=CVE-2014-3603
The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Las implementaciones de (1) HttpResource y (2) FileBackedHttpResource en el Proveedor de Identidad (IdP) de Shibboleth, en versiones anteriores a la 2.4.1, y en OpenSAML Java, en su versión 2.6.2, no verifican que el nombre de host del servidor se corresponda con un nombre de dominio en el campo "Common Name" (CN) del asunto o en el campo "subjectAltName" del certificado X.509. Esto permite a los atacantes Man-in-the-Middle (MitM) suplantar los servidores SSL a través de un certificado arbitrario válido. • http://secunia.com/advisories/60816 http://shibboleth.net/community/advisories/secadv_20140813.txt https://bugzilla.redhat.com/show_bug.cgi?id=1131823 • CWE-297: Improper Validation of Certificate with Host Mismatch •
CVE-2015-1796 – Java: PKIX Trust Engines Exhibit Critical Flaw In Trusted Names Evaluation
https://notcve.org/view.php?id=CVE-2015-1796
The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. Los motores de confianza PKIX en Shibboleth Identity Provider anterior a 2.4.4 y OpenSAML Java (OpenSAML-J) anterior a 2.6.5 confían en los certificados X.509 de candidatos cuando nombres no confiables están disponibles para el identificador de entidad, lo que permite a atacantes remotos suplantar una entidad a través de un certificado emitido por una ancla de confianza shibmd:KeyAuthority. It was found that PKIX trust components allowed an X.509 credential to be trusted if no trusted names were available for the entityID. An attacker could use a certificate issued by a shibmd:KeyAuthority trust anchor to impersonate an entity within the scope of that keyAuthority. • http://rhn.redhat.com/errata/RHSA-2015-1176.html http://rhn.redhat.com/errata/RHSA-2015-1177.html http://www.securityfocus.com/bid/75370 https://shibboleth.net/community/advisories/secadv_20150225.txt https://access.redhat.com/security/cve/CVE-2015-1796 https://bugzilla.redhat.com/show_bug.cgi?id=1196619 • CWE-254: 7PK - Security Features •