HttpComponents Client 发布安全漏洞修复:CVE-2014-3577,主机名验证容易导致 MITM 攻击。Apache HttpComponents(之前修订的 4.3.5/4.0.2 版本)可能因为在特定服务器端使用 SSL/TLS 证书时,默认主机名验证会很容易导致 “Man in the Middle Attack”。 所有 HttpClient 4.3.5 和 HttpAsyncClient 4.0.2 的修订(包括 Android 版)版都包括了这个漏洞的修复。 http://search.maven.org/#artifactdetails|org.apache.httpcomponents| httpclient|4.3.5|jar http://search.maven.org/#artifactdetails|org.apache.httpcomponents| httpasyncclient|4.0.2|jar 解决方案 - ---------- 尽快升级 HttpClient 4.3.5 (including HttpClient port for Android against the official Google Android SDK) 和 HttpClient (async) 4.0.2 的修订版 1614065 或者更高的版本。 Common Vulnerability Scoring (Version 2) and vector - --------------------------------------------------- CVSS Base Score 5.8 Impact Subscore 4.9 Exploitability Subscore 8.6 CVSS Temporal Score 4.8 CVSS Environmental Score 1.4 Modified Impact Subscore 5.2 ------------------------------ Overall CVSS Score 1.4 CVSS v2 Vector AV:N/AC:M/Au:N/C:P/I:N/A:P/E:F/RL:OF/RC:C/CDP:L/TD:L/CR:H/IR:L/AR:L |