(RHSA-2014:1082) Important: thermostat1-httpcomponents-client security update

ID RHSA-2014:1082
Type redhat
Reporter RedHat
Modified 2017-03-03T17:40:34


Thermostat is a monitoring and instrumentation tool for the OpenJDK HotSpot Java Virtual Machine (JVM) with support for monitoring multiple JVM instances.

The httpcomponents-client package provides an HTTP agent implementation that is used by Thermostat to visualize collected data in an HTTP-aware client application.

It was found that the fix for CVE-2012-6153 was incomplete: the code added to check that the server hostname matches the domain name in a subject's Common Name (CN) field in X.509 certificates was flawed. A man-in-the-middle attacker could use this flaw to spoof an SSL server using a specially crafted X.509 certificate. (CVE-2014-3577)

For additional information on this flaw, refer to the Knowledgebase article in the References section.

All thermostat1-httpcomponents-client users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.