ICEpush
  1. ICEpush
  2. PUSH-202

SECURITY: Improper Validation of Host-specific Certificate Data

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.2
    • Fix Version/s: EE-3.2.0.GA, 3.3
    • Component/s: Push Library
    • Labels:
      None
    • Environment:
      Test

      Description

      This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.

      The reported issue was: "Improper Validation of Host-specific Certificate Data"

      The details provided by Veracode were:

      _In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._

      The relevant class is:

      com.icesoft.icepush.C2dmNotificationProvider
          void <clinit>(void)"

      The task is to review the code to see if there is a potential security issue here and, if there is, fix it.

        Issue Links

          Activity

          There are no subversion log entries for this issue yet.

            People

            • Assignee:
              Steve Maryka
              Reporter:
              Deryk Sinotte
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: