Multiple Vulnerabilities in Apache HTTP Components and Apache HTTP Client 

Issue date: 26-04-2018
Affects versions: 12.2, 11.2, 10.2

Issue ID: SECURITY-54

Affected Product Version(s)
These vulnerabilities affects all versions of both CMS and delivery applications based on Hippo CMS prior to 12.3.0, 12.2.1, 11.2.7, and 10.2.11.

Severity 

low

Description

CVE-2014-3577 and CVE-2015-5262 have been reported against the Apache HTTP Components Client library, which allow man-in-the-middle and denial of service attacks against systems in combination with other attack vectors. In addition, CVE-2012-5783 has been reported against the predecessor Apache Commons HTTP Client library.  Successful exploitation of these vulnerabilities would require access to DNS, control over a resource accessed via HTTPS, or other preconditions. Customers may also be vulnerable in other ways via use of these libraries in their own code.

The affected Apache HTTP Components libraries have been updated (to httpclient 4.5.5 and httpcore 4.4.9), and the older HTTP Client library has been removed from product Maven dependencies in all supported CMS maintenance versions 10.2.11, 11.2.7, 12.2.1, and 12.3.0.

Instructions

Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher.

Because the upgrade for these CMS maintenance versions may require some additonal steps and verification, specific upgrade documentation is available to our customers for upgrading to version 10.2.11, 11.2.7, or to 12.2.1 and 12.3.0 (login required).