Skip to content

Usage of Empty TrustManager Methods is insecure #4058

New issue
New issue
Open
Open
Usage of Empty TrustManager Methods is insecure#4058
Labels
age:2years_plusstatus:stale
Milestone
 
unplanned
@mahirkabir

Description

@mahirkabir
mahirkabir
opened on May 6, 2020

Vulnerability Description: In “plugins/api/vmware-sioc/src/main/java/org/apache/cloudstack/util/vmware/VMwareUtil.java”, inside private static class TrustAllTrustManager implements TrustManager, X509TrustManager, the overridden methods have no body -

public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException
public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException

Reason it’s vulnerable: If a method responsible for checking certificates doesn’t have any body, then it will trust all certificates.

Suggested Fix: Adding necessary certificate verification logic in the overridden methods.

Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -

  1. Liked it and will make the suggested changes
  2. Liked it but happy with the existing version
  3. Didn’t find the suggestion helpful

Metadata

Metadata

Assignees

No one assigned

    Labels

    age:2years_plusstatus:stale

    Type

    No type

    Projects

    Apache CloudStack BugFest - Issues

    Status

    Todo

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions