https://bugzilla.redhat.com/show_bug.cgi?id=1127276
Bug ID: 1127276 Summary: CVE-2014-5075 smack: MitM vulnerability Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: vkaigoro@redhat.com CC: brms-jira@redhat.com, java-sig-commits@lists.fedoraproject.org, pavelp@redhat.com, puntogil@libero.it, tkirby@redhat.com, weli@redhat.com
It was reported [1] that Smack (XMPP client library) is vulnerable to MitM attacks with a crafted SSL certificates. Quote from [1]: ... Details -------
Smack is using Java's `SSLSocket`, which checks the peer certificate using an `X509TrustManager`, but does not perform hostname verification. Therefore, it is possible to redirect the traffic between a Smack-using application and a legitimate XMPP server through the attacker's server, merely by providing a valid certificate for a domain under the attacker's control.
In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager` implementation was used, which was supplied with the connection's server name, and performed hostname verification. However, it failed to verify the basicConstraints and nameConstraints of the certificate chain (CVE-2014-0363, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0363) and has been removed in Smack 4.0.0.
Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did not benefit from `ServerTrustManager` and are vulnerable as well, unless their own `TrustManager` implementation explicitly performs hostname verification. ...
[1]: http://seclists.org/bugtraq/2014/Aug/29