Tenable Discovers SSRF Vulnerability in Java TLS Handshakes ...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.tenable.com/blog/tenable-discovers-ssrf-vulnerability-in-java-tls-handshakes-that-creates-dos-risk
• Blog Title: Tenable Discovers SSRF Vulnerability in Java TLS Handshakes That Creates DoS Risk
• Suggested Section: Pentesting Web -> SSRF (Server Side Request Forgery) -> SSRF via non-HTTP protocols/metadata; or add a new subsection: "SSRF via TLS/PKI AIA (CA Issuers) fetching (Java mTLS/PKIX)"

🎯 Content Summary

What Tenable found
Tenable Research identified an SSRF primitive inside Java’s TLS client-certificate validation logic when a Java server performs mutual TLS (mTLS). A malicious client certificate can abuse the X.509 Authority Information Access (AIA) extension — specifically the CA Issuers URI — to make the server fetch attacker-chosen URIs during the TLS handshake. In some cases, this SSRF-style fetch can be turned into a Denial of Service (DoS) by...

🔧 Technical Details

When a system supports building incomplete X.509 chains by dereferencing Authority Information Access (AIA) → CA Issuers URIs, treat any peer-provided certificate chain as untrusted input. In mTLS, the server validates client certs; if AIA CA Issuers fetching is enabled, an attacker can supply a client leaf certificate with a crafted CA Issuers - URI:... and omit intermediates, causing the server-side certpath builder to fetch attacker-chosen resources during the TLS handshake (SSRF). Instrumentation such as Java’s -Djava.security.debug=certpath can reveal CertStore URI:... dereferences, and tools like nc can capture the resulting outbound HTTP requests (including a controllable User-Agent via -Dhttp.agent).

To convert AIA-based SSRF into a DoS, point CA Issuers to an expensive or unbounded source supported by the URI handler (e.g., on Unix-like systems file:///dev/urandom<...

🤖 Agent Actions

Summary:

• Added a new subsection on Java mTLS AIA CA Issuers-based SSRF/DoS to the SSRF page, detailing prerequisites, commands to trigger outbound requests during TLS client-cert validation, and a DoS variant via file:// URIs.
• Highlighted how to observe and control the outbound fetch (certpath debug, -Dhttp.agent, netcat listener) and the impact of unbounded reads like /dev/urandom.
• Updated SSRF references with the Tenable research blog and RFC 5280 AIA section.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.tenable.com/blog/tenable-discovers-ssrf-vulnerability-in-java-tls-handshakes-that-creates-dos-risk

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> SSRF (Server Side Request Forgery) -> SSRF via non-HTTP protocols/metadata; or add a new subsection: "SSRF via TLS/PKI AIA (CA Issuers) fetching (Java mTLS/PKIX)"".

Repository Maintenance:

• MD Files Formatting: 939 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge