Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.2
-
Fix Version/s: EE-3.2.0.GA, 3.3
-
Component/s: Push Library
-
Labels:None
-
Environment:Test
Description
This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
The reported issue was: "Improper Validation of Host-specific Certificate Data"
The details provided by Veracode were:
_In this call to !operator_newarray_initimp(), host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack. Verify that the certificate is valid, matches the requested site, and is signed by a trusted root authority. Generate an error and destroy the connection if any of these conditions are not met._
The relevant class is:
com.icesoft.icepush.C2dmNotificationProvider
void <clinit>(void)"
The task is to review the code to see if there is a potential security issue here and, if there is, fix it.
Issue Links
- blocks
-
ICE-8771
SECURITY: Potential security improvements related to findings from Veracode security scan
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion