SSL Certificate Validation fix for Man-In-The-Middle problem(WebSphere Application Server Community Edition 2.1.1.6)

Troubleshooting

Problem

There is a patch from the Axis community for SSL Certificate Validation issue(Man-In-The-Middle attack). The issue's CVE number is CVE-2012-5785.

Symptom

Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name(CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Resolving The Problem

To fix this issue, please follow the instruction.

1. Download the patch.SSLCertificateValidation(2.1.1.6).zip

2. Unzip the attached file into the WebSphere Application Server Community Edition installation directory, and ensure the files listed in the zip file to replace the ones in the server installation directory.

3. Start the server, for example,

<WAS_CE_HOME>\bin\startup.bat

<WAS_CE_HOME>/bin/startup.sh

[{"Product":{"code":"SS6JMN","label":"WebSphere Application Server Community Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"AxisWebServices","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"2.1.1.6","Edition":"Entry;Enhanced;Elite","Line of Business":{"code":"LOB45","label":"Automation"}}]

Tips

SSL Certificate Validation fix for Man-In-The-Middle problem(WebSphere Application Server Community Edition 2.1.1.6)

Troubleshooting

Problem

Symptom

Resolving The Problem

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?