[jira] [Commented] (CMIS-1112) Customized HostnameVerifier bypasses the hostname verification

Sat, 23 Jan 2021 17:35:07 -0800 


    [ 
https://issues.apache.org/jira/browse/CMIS-1112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270796#comment-17270796
 ] 

Ya Xiao commented on CMIS-1112:
-------------------------------

Thank you so much for replying. We are a security research team at Virginia 
Tech. We are doing an empirical study about the usefulness of the existing 
security vulnerability detection tools. The reported one is what we got from 
certain tools. 

 

We'll so appreciate it if you can give us some information about the following 
questions. Your feedback is important for us to help improve the 
state-of-the-art.
 # What kind of bug checker/vulnerability detection tools you are using? Do you 
think they are helpful? 
 # Are there any types of bugs/security vulnerabilities you want the detection 
tools to pay more attention to?
 # What kind of supports do you expect from a useful bug detector? E.g. 
Demonstration of exploits or some customized fixing suggestions?
 * [|https://issues.apache.org/jira/secure/AddComment!default.jspa?id=13352740]

> Customized HostnameVerifier bypasses the hostname verification
> --------------------------------------------------------------
>
>                 Key: CMIS-1112
>                 URL: https://issues.apache.org/jira/browse/CMIS-1112
>             Project: Chemistry
>          Issue Type: Improvement
>            Reporter: Ya Xiao
>            Priority: Major
>              Labels: patch, security
>
> In file 
> [chemistry-opencmis/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java]
>  , the customized HostnameVerfier allows all hostname to pass the 
> verification (at Line 412).
> *Security Impact*:
> Hostname Verification is required to verify the identity of the other party. 
> Bypassing it could allow man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/297.html]
> *Solution we suggest:*
> Do not customize the HostnameVerifier or specify the verification logic 
> instead of allowing all hostnames. 
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to