Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.2
-
Fix Version/s: EE-3.2.0.GA, 3.3
-
Component/s: Push Library
-
Labels:None
-
Environment:Test
Description
This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
Issue Links
- blocks
-
ICE-8771
SECURITY: Potential security improvements related to findings from Veracode security scan
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
| Field | Original Value | New Value |
|---|---|---|
| Summary | Placeholder issue | Improper Validation of Host-specific Certificate Data |
| Reporter | Migration [ remote ] | Deryk Sinotte [ deryk.sinotte ] |
| Description | Placeholder issue | I've opened up the following JIRA to review the potential security issue here. |
| Fix Version/s | EE-3.2.0.GA [ 10323 ] | |
| Affects Version/s | 3.2 [ 10340 ] | |
| Description | I've opened up the following JIRA to review the potential security issue here. |
This is a specific case opened up as part of a detailed analysis ( The reported issue was: "Improper Validation of Host-specific Certificate Data" The details provided by Veracode were: _In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._ The relevant class is: com.icesoft.icepush.C2dmNotificationProvider void <clinit>(void)" The task is to review the code to see if there is a potential security issue here and, if there is, fix it. |
| Component/s | Push Library [ 10044 ] |
| Fix Version/s | 3.3 [ 10374 ] |
| Summary | Improper Validation of Host-specific Certificate Data | SECURITY: Improper Validation of Host-specific Certificate Data |
| Assignee | Ted Goddard [ ted.goddard ] |
| Assignee | Ted Goddard [ ted.goddard ] | Steve Maryka [ steve.maryka ] |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Security | Private [ 10001 ] |
| Status | Resolved [ 5 ] | Closed [ 6 ] |