[Bug 1709379] New: CVE-2018-20200 okhttp: certificate pinning bypass

Monday, 13 May 2019

https://bugzilla.redhat.com/show_bug.cgi?id=1709379

            Bug ID: 1709379
           Summary: CVE-2018-20200 okhttp: certificate pinning bypass
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
        Whiteboard: impact=moderate,public=20190419,reported=20190419,sour
                    ce=cve,cvss3=6.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/
                    I:L/A:N,cwe=CWE-300,fedora-all/okhttp=affected,openshi
                    ft-enterprise-3/okhttp=new,fuse-7/okhttp=new,rhpam-7/o
                    khttp=new,rhdm-7/okhttp=new,springboot-1/okhttp=new
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team(a)redhat.com
          Reporter: msiddiqu(a)redhat.com
                CC: ahardin(a)redhat.com, aileenc(a)redhat.com,
                    akoufoud(a)redhat.com, alazarot(a)redhat.com,
                    almorale(a)redhat.com, anstephe(a)redhat.com,
                    avibelli(a)redhat.com, bgeorges(a)redhat.com,
                    bleanhar(a)redhat.com, ccoleman(a)redhat.com,
                    chazlett(a)redhat.com, cmoulliard(a)redhat.com,
                    dedgar(a)redhat.com, eparis(a)redhat.com,
                    etirelli(a)redhat.com, gerard(a)ryan.lt, ibek(a)redhat.com,
                    ikanello(a)redhat.com, janstey(a)redhat.com,
                    java-sig-commits(a)lists.fedoraproject.org,
                    jbalunas(a)redhat.com, jgoulding(a)redhat.com,
                    jochrist(a)redhat.com, jokerman(a)redhat.com,
                    jpallich(a)redhat.com, jshepherd(a)redhat.com,
                    krathod(a)redhat.com, kverlaen(a)redhat.com,
                    lpetrovi(a)redhat.com, lthon(a)redhat.com,
                    mchappel(a)redhat.com, mizdebsk(a)redhat.com,
                    mnovotny(a)redhat.com, mszynkie(a)redhat.com,
                    paradhya(a)redhat.com, pgallagh(a)redhat.com,
                    puntogil(a)libero.it, rrajasek(a)redhat.com,
                    rruss(a)redhat.com, rsynek(a)redhat.com,
                    sdaley(a)redhat.com, trogers(a)redhat.com
  Target Milestone: ---
    Classification: Other

CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle
attackers to bypass certificate pinning by changing SSLContext and the boolean
values while hooking the application.

Upstream issue:

https://github.com/square/okhttp/issues/4967

References:

https://cxsecurity.com/issue/WLB-2018120252 
https://github.com/square/okhttp/commits/master 
https://github.com/square/okhttp/releases 
https://square.github.io/okhttp/3.x/okhttp/

-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010