Can anyone please tell me in which version of Apache axis2 CVE-2012-5785 is fixed?

Thanks in advance

closed as off-topic by mpy, Simon Sheehan, Samir, Attie, Pimp Juice IT Apr 9 at 1:36

This question appears to be off-topic. The users who voted to close gave this specific reason:

  • "Questions seeking product, service, or learning material recommendations are off-topic because they become outdated quickly and attract opinion-based answers. Instead, describe your situation and the specific problem you're trying to solve. Share your research. Here are a few suggestions on how to properly ask this type of question." – mpy, Samir, Attie, Pimp Juice IT
If this question can be reworded to fit the rules in the help center, please edit the question.

    Can anyone please tell me in which version of Apache axis2 CVE-2012-5785 is fixed?

    Directly from the vulnerability description

    Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

    Source

    I should point out no release after 1.6.2 specifically indicates they fixed that particular vulnerability. However, you should be using the current version, 1.7.7 to have the best chance of not being vulnerable due to numerous changes since 2012. Without a proof of concept code it will be difficult to prove the current version is still vulnerable. It’s literally the fix was documented as something else and simply didn’t call out this particular CVE in the change log

      Not the answer you're looking for? Browse other questions tagged or ask your own question.