====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN294
_____________________________________________________________________

DATE                : 28/05/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Fineract versions prior to
                                          1.5.0.

=====================================================================
http://mail-archives.apache.org/mod_mbox/fineract-dev/202105.mbox/%3cCANMpf84_x7q+F7a03Z8X-P-a_vPvg1MATMk8eEoe8JJhSmovHg@mail.gmail.com%3e
_____________________________________________________________________

Dev List - This announcement is to acknowledge the work of the Release
manager and the entire community in pushing out the 1.5.0, which
included a fix for a reported issue.

If you know of a security issue, the practice is to send an email to:
security AT  fineract.apache.org. We then determine its level of
criticality according to a risk model and provide a fix in the next
release, or patch is required.

Please see
https://cwiki.apache.org/confluence/display/FINERACT/Apache+Fineract+Security+Report


Thank you @Michael Vorburger <mike@vorburger.ch>  for submitting the
fix.

*CVE-2020-17514: Disabled Hostname verification for HTTPS *

[DESCRIPTION]:

*Critical*:  Apache Fineract disables HTTPS hostname verification in
`ProcessorHelper` in the `configureClient` method.

Under typical deployments, a man in the middle attack could be
successful.

*Release branch*: The fix is available at
https://github.com/apache/fineract/tree/1.5.0.

*Acknowledgements*: We would like to thank Simon Gerst at
https://github.com/intrigus-lgtm  for reporting this issue, and the
*Apache Security team* for their assistance.
Reported to security team 15 October 2020
Fixed 19 October 2020
Update Released 23 May  2021
Issue public 26 May 2021
Affects 0.4.0-incubating, 0.5.0-incubating, 0.6.0-incubating, 1.0.0,
1.1.0, 1.2.0, 1.3.0, 1.4.0

[REFERENCES]:

https://issues.apache.org/jira/browse/FINERACT-1211



Please also note the many improvements and new features in this release.
https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract
<https://cwiki.apache.org/confluence/display/FINERACT/1.5.0+-+Apache+Fineract>


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================