Details
-
Type: Bug
-
Status: Closed
-
Priority: Major
-
Resolution: Fixed
-
Affects Version/s: 3.2
-
Fix Version/s: EE-3.2.0.GA, 3.3
-
Component/s: Push Library
-
Labels:None
-
Environment:Test
Description
This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
Issue Links
- blocks
-
ICE-8771 SECURITY: Potential security improvements related to findings from Veracode security scan
- Closed
Activity
Migration
created issue -
Ken Fyten
made changes -
Field | Original Value | New Value |
---|---|---|
Summary | Placeholder issue | Improper Validation of Host-specific Certificate Data |
Ken Fyten
made changes -
Reporter | Migration [ remote ] | Deryk Sinotte [ deryk.sinotte ] |
Description | Placeholder issue | I've opened up the following JIRA to review the potential security issue here. |
Deryk Sinotte
made changes -
Fix Version/s | EE-3.2.0.GA [ 10323 ] | |
Affects Version/s | 3.2 [ 10340 ] | |
Description | I've opened up the following JIRA to review the potential security issue here. |
This is a specific case opened up as part of a detailed analysis ( The reported issue was: "Improper Validation of Host-specific Certificate Data" The details provided by Veracode were: _In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._ The relevant class is: com.icesoft.icepush.C2dmNotificationProvider void <clinit>(void)" The task is to review the code to see if there is a potential security issue here and, if there is, fix it. |
Component/s | Push Library [ 10044 ] |
Ken Fyten
made changes -
Fix Version/s | 3.3 [ 10374 ] |
Ken Fyten
made changes -
Summary | Improper Validation of Host-specific Certificate Data | SECURITY: Improper Validation of Host-specific Certificate Data |
Ken Fyten
made changes -
Assignee | Ted Goddard [ ted.goddard ] |
Ted Goddard
made changes -
Assignee | Ted Goddard [ ted.goddard ] | Steve Maryka [ steve.maryka ] |
Steve Maryka
made changes -
Status | Open [ 1 ] | Resolved [ 5 ] |
Resolution | Fixed [ 1 ] |
Ken Fyten
made changes -
Security | Private [ 10001 ] |
Ken Fyten
made changes -
Status | Resolved [ 5 ] | Closed [ 6 ] |
This is a security issue and should be fixed. Both C2dmNotificationProvider.java and GcmNotificationProvider.java make use of noop TrustManager. This would allow an attacker to spoof DNS (for a google.com domain) and to intercept all Cloud Push notifications sent to Android devices from the application server.