Email: Disabled SSL Server Identity check :: Recipe Details

Recipe Name:

Email: Disabled SSL Server Identity check

Description:

When sending an email, the setSSLCheckServerIdentity has been set to false

Level:

error

Language:

java

Tags:

security
Apache Commons
web
email
OWASP Top 10

Documentation

SSL/TLS with sufficient verification should be enabled when sending emails. Explicitly disabling SSL/TLS results in email contents being exposed. Disabling verification of the recipient can lead to spoofing attacks.

Before

Email email = new SimpleEmail();
email.setSSLOnConnect(false);
email.setSSLCheckServerIdentity(false);

After

Email email = new SimpleEmail();
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);

Recipe

id: scw:apache:email:ssl-check-disabled
version: 10
metadata:
  name: 'Email: Disabled SSL Server Identity check'
  shortDescription: When sending an email, the setSSLCheckServerIdentity has been set to false
  level: error
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/Email__Disabled_SSL_on_Connect.html
  tags: security;Apache Commons;web;email;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setSSLCheckServerIdentity
    type: org.apache.commons.mail.Email
availableFixes:
- name: Set setSSLCheckServerIdentity to true
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}(true)'