0009876: Compromise Text on Client Certificate does not actually fix CVE

ID	Project	Category	View Status	Date Submitted	Last Update

0009876	10000-004: Services	Spec	public	2024-10-09 16:04	2024-10-10 17:46

Reporter	Randy Armstrong	Assigned To	Jim Luth
Priority	high	Severity	major	Reproducibility	always
Status	resolved	Resolution	fixed
Product Version	1.05.04 RC1
Target Version	1.05.04	Fixed in Version	1.05.04

Summary	0009876: Compromise Text on Client Certificate does not actually fix CVE
Description	The text: For SecureChannels that use the Application Instance Certificate the Server shall verify that this Certificate is the same as the one it used to create the SecureChannel. Implies that when using TLS/HTTPS there is no need to check the client certificate against the TLS client certificate if that Certificate is not accessible to the Server which means the vulnerability still exists. Wording should be: If the SecurityMode is not None, the Server shall verify that this Certificate is the same as the one it used to create the SecureChannel.
Tags	No tags attached.

Commit Version
Fix Due Date

Date Modified	Username	Field	Change
2024-10-09 16:04	Randy Armstrong	New Issue
2024-10-10 17:44	Jim Luth	Assigned To	=> Jim Luth
2024-10-10 17:44	Jim Luth	Status	new => assigned
2024-10-10 17:44	Jim Luth	Product Version	1.05.05 RC1 => 1.05.04 RC1
2024-10-10 17:44	Jim Luth	Target Version	1.05.05 RC1 => 1.05.04
2024-10-10 17:45	Jim Luth	Note Added: 0021876
2024-10-10 17:46	Jim Luth	Status	assigned => resolved
2024-10-10 17:46	Jim Luth	Resolution	open => fixed
2024-10-10 17:46	Jim Luth	Fixed in Version	=> 1.05.04

Jim Luth 2024-10-10 17:45 administrator ~0021876	Changed text to: "If the SecurityMode is not None, the Server shall verify that this Application Instance Certificate is the same as the one it used to create the SecureChannel."