CVE-2014-3596

Description

The getCN function in Apache Axis 1.4 and earlier does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5784.

How to fix CVE-2014-3596

To remediate CVE-2014-3596, upgrade the affected package to a fixed version below.

• Debian/axis—upgrade to 1.4-21 or later
• —no fix listed
• —no fix listed

Is CVE-2014-3596 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

• from 0, < 1.4-21
• from 0, <= 1.4
• from 0, <= 1.4

References (26)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-3596
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2014-3596
• WEBlinux.oracle.com/errata/ELSA-2014-1193.html
• WEBlists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html