CVE-2012-6107

Vulnerability

The SSL/TLS implementation in Apache Axis2/C does not validate that the server hostname matches the Common Name (CN) or subjectAltName field in the X.509 certificate presented during the TLS handshake [1][2]. This flaw affects all versions prior to the fix introduced in version 1.7.0 [2]. The vulnerability resides in the transport/http component of Axis2/C, where peer hostname validation code is absent [2].

Exploitation

An attacker who can position themselves as a man-in-the-middle on the network between an Axis2/C client and an intended SSL/TLS server can exploit this vulnerability [1]. The attacker presents any valid X.509 certificate (e.g., one issued for a different domain) to the client. Because Axis2/C does not verify the certificate's hostname, the client will accept the connection and exchange data with the attacker as if it were the legitimate server. No user interaction beyond the normal SSL connection is required.

Impact

Successful exploitation allows the attacker to intercept, read, modify, or forge all data transmitted over the supposed secure connection. This leads to complete compromise of confidentiality and integrity of communications, enabling credential theft, data exfiltration, and injection of malicious content. The attacker does not gain code execution on the client or server, but can control the communication channel.

Mitigation

The flaw is fixed in Apache Axis2/C version 1.7.0, released alongside the resolution of the issue [2]. Users should upgrade to this version or later. If upgrading is not possible, network controls such as strict certificate pinning or deploying a TLS-aware proxy that performs hostname validation can serve as partial workarounds. Red Hat notes that this issue is a security response and has been closed as UPSTREAM, meaning the fix must be obtained from the upstream project [1].