Recipe Name:
Email: Disabled SSL on Connect
Description:
When sending an email, SSL has been disabled on connection
Level:
error
Language:
  • java
Tags:
  • security
  • Apache Commons
  • web
  • email
  • OWASP Top 10
Documentation

SSL/TLS with sufficient verification should be enabled when sending emails. Explicitly disabling SSL/TLS results in email contents being exposed. Disabling verification of the recipient can lead to spoofing attacks.

Before
Email email = new SimpleEmail();
email.setSSLOnConnect(false);
email.setSSLCheckServerIdentity(false);
After
Email email = new SimpleEmail();
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);
Recipe
id: scw:apache:email:ssl-on-connect-disabled
version: 10
metadata:
  name: 'Email: Disabled SSL on Connect'
  shortDescription: When sending an email, SSL has been disabled on connection
  level: error
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/Email__Disabled_SSL_on_Connect.html
  tags: security;Apache Commons;web;email;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setSSLOnConnect
    type: org.apache.commons.mail.Email
availableFixes:
- name: Fix the code by setting setSSLOnConnect to True
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}(true)'