[jira] [Updated] (NUTCH-2786) TrustManager methods do not have certificate validation logic

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Updated] (NUTCH-2786) TrustManager methods do not have certificate validation logic

Tim Allison (Jira)

     [ https://issues.apache.org/jira/browse/NUTCH-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Md Mahir Asef Kabir updated NUTCH-2786:
---------------------------------------
    Description:
* *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.


 * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.

 * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .

 * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -

 # Liked it and will make the suggested changes
 # Liked it but happy with the existing version
 # Didn’t find the suggestion helpful

  was:
* *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.


 * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.

 * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods.

 * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -

 # Liked it and will make the suggested changes
 # Liked it but happy with the existing version
 # Didn’t find the suggestion helpful


> TrustManager methods do not have certificate validation logic
> -------------------------------------------------------------
>
>                 Key: NUTCH-2786
>                 URL: https://issues.apache.org/jira/browse/NUTCH-2786
>             Project: Nutch
>          Issue Type: Improvement
>          Components: plugin, protocol
>    Affects Versions: 1.16
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>             Fix For: 1.18
>
>
> * *Vulnerability Description:* In “src/plugin/protocol-httpclient/src/java/org/apache/nutch/protocol/httpclient/DummyX509TrustManager.java” overridden TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) do not have validation logic for certificates.
>  * *Reason it’s vulnerable:* It is vulnerable because DummyX509TrustManager implements X509TrustManager and it overrides the standard TrustManager methods (i.e. checkClientTrusted and checkServerTrusted) to do nothing but returning hard-coded *true*. Certificate validation is expected to be handled by these methods. Doing nothing means no verification.
>  * *Suggested Fix:* Adding necessary certificate verification logic in the overridden methods. This is an example code showing a format that can be used and modified appropriately to implement the certificate validation logic - https://paste.ubuntu.com/p/jWtH2yTNR8/ .
>  * *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)