製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の製品で使用される Apache Axis における SSL サーバを偽装される脆弱性

Title	複数の製品で使用される Apache Axis における SSL サーバを偽装される脆弱性
Summary	複数の PayPal 製品、Apache ActiveMQ の Java Message Service の実装、および他の製品で使用される Apache Axis は、サーバホスト名と X.509 証明書上の subject の Common Name (CN) または subjectAltName フィールドのドメイン名を照合しないため、SSL サーバを偽装される脆弱性が存在します。
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、任意の有効な証明書を介して、SSL サーバを偽装される可能性があります。
Solution	ベンダ情報および参考情報を参照して適切な対策を実施してください。
Publication Date	Nov. 4, 2012, midnight
Registration Date	Nov. 7, 2012, 2:26 p.m.
Last Update	Feb. 16, 2016, 5:26 p.m.

CVSS2.0 : 警告
Score	5.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:N

Affected System

Apache Software Foundation

Apache ActiveMQ

Apache Axis 1.4 およびそれ以前

PayPal

PayPal Mass Pay

PayPal Payments Pro

PayPal Transactional Information SOAP

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-5784	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
2	CVE-2012-5784	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5784
National Vulnerability Database (NVD)
3	CVE-2012-5784	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784
4	CVE-2012-5784	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5784

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html
2	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Apache Software Foundation
1	Apache ActiveMQ	http://activemq.apache.org/
2	Apache ActiveMQ	http://activemq.apache.org/
3	WebServices - Axis	http://axis.apache.org/axis/
4	WebServices - Axis	http://axis.apache.org/axis/
PayPal
5	Developer Central	https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/home
6	Developer Central	https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/home
Red Hat Security Advisory
7	RHSA-2013:0269	http://rhn.redhat.com/errata/RHSA-2013-0269.html
8	RHSA-2013:0269	http://rhn.redhat.com/errata/RHSA-2013-0269.html
9	RHSA-2013:0683	http://rhn.redhat.com/errata/RHSA-2013-0683.html
10	RHSA-2013:0683	http://rhn.redhat.com/errata/RHSA-2013-0683.html
11	RHSA-2014:0037	http://rhn.redhat.com/errata/RHSA-2014-0037.html
12	RHSA-2014:0037	http://rhn.redhat.com/errata/RHSA-2014-0037.html

その他

No	Name	URL
関連文書
1	The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software	http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
2	The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software	http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

Change Log

No	Changed Details	Date of change
0	[2012年11月07日] 掲載 [2016年02月16日] ベンダ情報：レッドハット (RHSA-2014:0037) を追加ベンダ情報：レッドハット (RHSA-2013:0683) を追加ベンダ情報：レッドハット (RHSA-2013:0269) を追加	Feb. 17, 2018, 10:37 a.m.
0	[2012年11月07日] 掲載 [2016年02月16日] ベンダ情報：レッドハット (RHSA-2014:0037) を追加ベンダ情報：レッドハット (RHSA-2013:0683) を追加ベンダ情報：レッドハット (RHSA-2013:0269) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-5784

Summary	Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publication Date	Nov. 5, 2012, 7:55 a.m.
Registration Date	Jan. 28, 2021, 3:06 p.m.
Last Update	Nov. 21, 2024, 10:45 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:axis:1.0:rc1::::::
cpe:2.3:a:paypal:mass_pay:-:::::::*
cpe:2.3:a:apache:axis:-:beta1::::::
cpe:2.3:a:apache:axis:1.1:rc2::::::
cpe:2.3:a:apache:axis:1.2:alpha::::::
cpe:2.3:a:apache:axis:1.0:beta::::::
cpe:2.3:a:paypal:transactional_information_soap:-:::::::*
cpe:2.3:a:apache:axis:1.2:::::::*
cpe:2.3:a:paypal:payments_pro:-:::::::*
cpe:2.3:a:apache:axis:1.2:rc2::::::
cpe:2.3:a:apache:axis:1.2:rc3::::::
cpe:2.3:a:apache:axis:1.2.1:::::::*
cpe:2.3:a:apache:axis:-:beta2::::::
cpe:2.3:a:apache:axis:1.0:rc2::::::
cpe:2.3:a:apache:axis:1.2:beta2::::::
cpe:2.3:a:apache:axis:1.1:::::::*
cpe:2.3:a:apache:axis:-:alpha2::::::
cpe:2.3:a:apache:axis:1.1:rc1::::::
cpe:2.3:a:apache:axis:1.2:rc1::::::
cpe:2.3:a:apache:axis:-:alpha1::::::
cpe:2.3:a:apache:axis:1.1:beta::::::
cpe:2.3:a:apache:activemq::::::::		5.7.0
cpe:2.3:a:apache:axis:1.2:beta1::::::
cpe:2.3:a:apache:axis:-:beta3::::::
cpe:2.3:a:apache:axis::::::::		1.4
cpe:2.3:a:apache:axis:-:alpha3::::::
cpe:2.3:a:apache:axis:1.3:::::::*
cpe:2.3:a:apache:axis:1.0:::::::*
cpe:2.3:a:apache:axis:1.2:beta3::::::

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
2	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00007.html
3	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
4	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00022.html
5	http://rhn.redhat.com/errata/RHSA-2013-0269.html	Third Party Advisory
6	http://rhn.redhat.com/errata/RHSA-2013-0269.html	Third Party Advisory
7	http://rhn.redhat.com/errata/RHSA-2013-0683.html	Third Party Advisory
8	http://rhn.redhat.com/errata/RHSA-2013-0683.html	Third Party Advisory
9	http://rhn.redhat.com/errata/RHSA-2014-0037.html	Third Party Advisory
10	http://rhn.redhat.com/errata/RHSA-2014-0037.html	Third Party Advisory
11	http://secunia.com/advisories/51219
12	http://secunia.com/advisories/51219
13	http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf	Exploit Technical Description
14	http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf	Exploit Technical Description
15	http://www.securityfocus.com/bid/56408	Third Party Advisory VDB Entry
16	http://www.securityfocus.com/bid/56408	Third Party Advisory VDB Entry
17	https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
18	https://exchange.xforce.ibmcloud.com/vulnerabilities/79829
19	https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
20	https://lists.apache.org/thread.html/44d4e88a5fa8ae60deb752029afe9054da87c5f859caf296fcf585e5%40%3Cjava-dev.axis.apache.org%3E
21	https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
22	https://lists.apache.org/thread.html/5e6c92145deddcecf70c3604041dcbd615efa2d37632fc2b9c367780%40%3Cjava-dev.axis.apache.org%3E
23	https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
24	https://lists.apache.org/thread.html/8aa25c99eeb0693fc229ec87d1423b5ed5d58558618706d8aba1d832%40%3Cjava-dev.axis.apache.org%3E
25	https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
26	https://lists.apache.org/thread.html/a308887782e05da7cf692e4851ae2bd429a038570cbf594e6631cc8d%40%3Cjava-dev.axis.apache.org%3E
27	https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E
28	https://lists.apache.org/thread.html/de2af12dcaba653d02b03235327ca4aa930401813a3cced8e151d29c%40%3Cjava-dev.axis.apache.org%3E

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:axis:1.0:rc1::::::
cpe:2.3:a:paypal:mass_pay:-:::::::*
cpe:2.3:a:apache:axis:-:beta1::::::
cpe:2.3:a:apache:axis:1.1:rc2::::::
cpe:2.3:a:apache:axis:1.2:alpha::::::
cpe:2.3:a:apache:axis:1.0:beta::::::
cpe:2.3:a:paypal:transactional_information_soap:-:::::::*
cpe:2.3:a:apache:axis:1.2:::::::*
cpe:2.3:a:paypal:payments_pro:-:::::::*
cpe:2.3:a:apache:axis:1.2:rc2::::::
cpe:2.3:a:apache:axis:1.2:rc3::::::
cpe:2.3:a:apache:axis:1.2.1:::::::*
cpe:2.3:a:apache:axis:-:beta2::::::
cpe:2.3:a:apache:axis:1.0:rc2::::::
cpe:2.3:a:apache:axis:1.2:beta2::::::
cpe:2.3:a:apache:axis:1.1:::::::*
cpe:2.3:a:apache:axis:-:alpha2::::::
cpe:2.3:a:apache:axis:1.1:rc1::::::
cpe:2.3:a:apache:axis:1.2:rc1::::::
cpe:2.3:a:apache:axis:-:alpha1::::::
cpe:2.3:a:apache:axis:1.1:beta::::::
cpe:2.3:a:apache:activemq::::::::		5.7.0
cpe:2.3:a:apache:axis:1.2:beta1::::::
cpe:2.3:a:apache:axis:-:beta3::::::
cpe:2.3:a:apache:axis::::::::		1.4
cpe:2.3:a:apache:axis:-:alpha3::::::
cpe:2.3:a:apache:axis:1.3:::::::*
cpe:2.3:a:apache:axis:1.0:::::::*
cpe:2.3:a:apache:axis:1.2:beta3::::::