CVE-2014-3596

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subjects Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

Affected Software

Name	Vendor	Start Version	End Version
Axis	Apache	*	1.4 (including)
Axis	Apache	1.0 (including)	1.0 (including)
Axis	Apache	1.0-beta (including)	1.0-beta (including)
Axis	Apache	1.0-rc1 (including)	1.0-rc1 (including)
Axis	Apache	1.0-rc2 (including)	1.0-rc2 (including)
Axis	Apache	1.1 (including)	1.1 (including)
Axis	Apache	1.1-beta (including)	1.1-beta (including)
Axis	Apache	1.1-rc1 (including)	1.1-rc1 (including)
Axis	Apache	1.1-rc2 (including)	1.1-rc2 (including)
Axis	Apache	1.2 (including)	1.2 (including)
Axis	Apache	1.2-alpha (including)	1.2-alpha (including)
Axis	Apache	1.2-beta1 (including)	1.2-beta1 (including)
Axis	Apache	1.2-beta2 (including)	1.2-beta2 (including)
Axis	Apache	1.2-beta3 (including)	1.2-beta3 (including)
Axis	Apache	1.2-rc1 (including)	1.2-rc1 (including)
Axis	Apache	1.2-rc2 (including)	1.2-rc2 (including)
Axis	Apache	1.2-rc3 (including)	1.2-rc3 (including)
Axis	Apache	1.2.1 (including)	1.2.1 (including)
Axis	Apache	1.3 (including)	1.3 (including)
Red Hat Enterprise Linux 5	RedHat	axis-0:1.2.1-2jpp.8.el5_10	*
Red Hat Enterprise Linux 6	RedHat	axis-0:1.2.1-7.5.el6_5	*
Red Hat JBoss Portal 6.2	RedHat	axis	*
Axis	Ubuntu	lucid	*
Axis	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2014-3596
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html

Affected Software

References