The libwww-perl LWP::Protocol::https module 6.04 through 6.06 for Perl, when using IO::Socket::SSL as the SSL socket class, allows attackers to disable server certificate validation via the (1) HTTPS_CA_DIR or (2) HTTPS_CA_FILE environment variable.
Weakness
The product does not validate, or incorrectly validates, a certificate.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Lwp::protocol::https | Lwp::protocol::https_project | 6.04 (including) | 6.06 (including) |
| Liblwp-protocol-https-perl | Ubuntu | esm-infra-legacy/trusty | * |
| Liblwp-protocol-https-perl | Ubuntu | saucy | * |
| Liblwp-protocol-https-perl | Ubuntu | trusty | * |
| Liblwp-protocol-https-perl | Ubuntu | trusty/esm | * |
| Liblwp-protocol-https-perl | Ubuntu | upstream | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2014/05/02/8
- http://www.openwall.com/lists/oss-security/2014/05/04/1
- http://www.openwall.com/lists/oss-security/2014/05/06/8
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
- https://github.com/libwww-perl/lwp-protocol-https/pull/14
- http://www.openwall.com/lists/oss-security/2014/05/02/8
- http://www.openwall.com/lists/oss-security/2014/05/04/1
- http://www.openwall.com/lists/oss-security/2014/05/06/8
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=746579
- https://github.com/libwww-perl/lwp-protocol-https/pull/14