Summary
Hutool is a java tool library that provides a wealth of utility class and methods so that developers can handle a variety of common tasks in Java applications. It is widely used in Java development because of its simplicity operation, rich functionality, and exceptional performance.
The author selected the common vulnerabilities of the Hutool component for research by analyzing components introduced in hundreds of real projects.This analysis is about the improper certificate validation CVE-2022–22885 when Hutool-core performs performing HttpRequest operations.
The Hutool-http component is an Http client encapsulation based on HttpUrlConnection. The HttpRequest class within it has the capability to send HTTP requests.
Information
• Name:Certificate Validation Vulnerability
• Number:CVE-2022–22885
• Type:CWE-295 Improper Certificate Validation
• CVSS Score:CVSS v3.1:9.8
• Severity Level:Critical
The vulnerability exploits Hutool’s default HostnameVerifier, which trusts all hostnames and does not validate server certificates.
This vulnerability affects Hutool < version 5.7.19.
Vulnerability Analysis
The Certificate Validation Vulnerability can lead to the server being subjected to man-in-the-middle attacks, resulting in issues like information leakage. If the compromised information involves verifiable content such as keys, it could lead to the intrusion of the device corresponding to the compromised key.
The reason for the vulnerability is that the hostNameVerfier passed in by the setInfo function of Hutool HttpUtil defaults to TRUST_ANY_HOSTNAME_VERIFIER.
Its constant returns true.
HostnameVerifier is a fallback mechanism that is called when the host to be connected does not match the server name of the server certificate, and Hutool releases all such requests by default. Therefore, the server is vulnerable to attacks from insecure sites.
Reproduction
1. Requesting insecure pages with unwrapped Java functions
Java’s own HttpsURLConnection will report an error when accessing a hostname that does not match the certificate.
2. Accessing insecure pages using Hutool’s HttpRequest class
Successfully returned page content.
Fix
Using a custom HostnameVerifier to verify the certificate body name and hostname.
After the fix, as shown in the diagram below, when performing HTTPS requests, the program will automatically validate the hostname and the subject name obtained from the certificate. Specifically, you need to modify the hostname.equals() and principalName.equals() based on the request URL. This way, you won’t be vulnerable to attacks from insecure sites with mismatched certificate domain names.
This fix requires the verify code to be configured based on the hostname and certificate information of the request URL.
