[
https://issues.apache.org/jira/browse/CLOUDSTACK-10421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Md Mahir Asef Kabir updated CLOUDSTACK-10421:
---------------------------------------------
Description:
*Vulnerability Description:* In
“plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”,
inside private static class TrustAllTrustManager implements TrustManager,
X509TrustManager, the overridden methods have no body -
{code:java}
public void checkServerTrusted(X509Certificate[] certs, String authType) throws
CertificateException
public void checkClientTrusted(X509Certificate[] certs, String authType) throws
CertificateException
{code}
*Reason it’s vulnerable:* If a method responsible for checking certificates
doesn’t have any body, then it will trust all certificates.
*Suggested Fix:* Adding necessary certificate verification logic in the
overridden methods. This is an example code showing a format that can be used
and modified appropriately to implement the certificate validation logic -
https://paste.ubuntu.com/p/jWtH2yTNR8/ .
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
was:
*Vulnerability Description:* In
“plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”,
inside private static class TrustAllTrustManager implements TrustManager,
X509TrustManager, the overridden methods have no body -
{code:java}
public void checkServerTrusted(X509Certificate[] certs, String authType) throws
CertificateException
public void checkClientTrusted(X509Certificate[] certs, String authType) throws
CertificateException
{code}
*Reason it’s vulnerable:* If a method responsible for checking certificates
doesn’t have any body, then it will trust all certificates.
*Suggested Fix:* Adding necessary certificate verification logic in the
overridden methods.
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
> Usage of Empty TrustManager Methods is insecure
> -----------------------------------------------
>
> Key: CLOUDSTACK-10421
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-10421
> Project: CloudStack
> Issue Type: Improvement
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> *Vulnerability Description:* In
> “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”,
> inside private static class TrustAllTrustManager implements TrustManager,
> X509TrustManager, the overridden methods have no body -
> {code:java}
> public void checkServerTrusted(X509Certificate[] certs, String authType)
> throws CertificateException
> public void checkClientTrusted(X509Certificate[] certs, String authType)
> throws CertificateException
> {code}
> *Reason it’s vulnerable:* If a method responsible for checking certificates
> doesn’t have any body, then it will trust all certificates.
> *Suggested Fix:* Adding necessary certificate verification logic in the
> overridden methods. This is an example code showing a format that can be used
> and modified appropriately to implement the certificate validation logic -
> https://paste.ubuntu.com/p/jWtH2yTNR8/ .
> *Feedback:* Please select any of the options down below to help us get an
> idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
