Ya Xiao created CMIS-1113:
-----------------------------
Summary: Customized TrustManager bypasses certificate verification
Key: CMIS-1113
URL: https://issues.apache.org/jira/browse/CMIS-1113
Project: Chemistry
Issue Type: Improvement
Reporter: Ya Xiao
We found a security vulnerability in file
[chemistry-opencmis/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java|https://github.com/apache/chemistry-opencmis/blob/9e49c685af9044a64cde0ab111792d74e914f4f2/chemistry-opencmis-workbench/chemistry-opencmis-workbench/src/main/java/org/apache/chemistry/opencmis/workbench/model/ClientSession.java].
The customized TrustManger (at Line 393) allows all certificates to pass the
verification.
*Security Impact*:
The checkClientTrusted and checkServerTrusted methods are expected to implement
the certificate validation logic. Bypassing it could allow man-in-the-middle
attacks.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/295.html]
*Solution we suggest:*
Do not customize the TrustManger or specify the certificate validation logic
instead of allowing all certificates. To accept self-signed certificates, a
proper way is to configure the trust store (see
https://developer.android.com/training/articles/security-ssl#SelfSigned).
Adding the certificate or its signer in the trust store can allow the
self-signed certificate as well as avoiding SSL spoofing.
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
