Sensei Logo Sensei Hub

Recipe - Email: Disabled SSL Server Identity check

Description:
When sending an email, the setSSLCheckServerIdentity has been set to false
Level:
error
Language:
  • java
Tags:
  • security
  • Apache Commons
  • web
  • email
  • OWASP Top 10
Documentation

SSL/TLS with sufficient verification should be enabled when sending emails. Explicitly disabling SSL/TLS results in email contents being exposed. Disabling verification of the recipient can lead to spoofing attacks.

Before
Email email = new SimpleEmail();
email.setSSLOnConnect(false);
email.setSSLCheckServerIdentity(false);
After
Email email = new SimpleEmail();
email.setSSLOnConnect(true);
email.setSSLCheckServerIdentity(true);
Recipe
id: scw:apache:email:ssl-check-disabled
version: 10
metadata:
  name: 'Email: Disabled SSL Server Identity check'
  shortDescription: When sending an email, the setSSLCheckServerIdentity has been set to false
  level: error
  language: java
  scwCategory: misconfig:securityfeatures
  enabled: true
  descriptionFile: descriptions/Email__Disabled_SSL_on_Connect.html
  tags: security;Apache Commons;web;email;OWASP Top 10
search:
  methodcall:
    args:
      1:
        type: boolean
        value:
          stringified: "false"
    name: setSSLCheckServerIdentity
    type: org.apache.commons.mail.Email
availableFixes:
- name: Set setSSLCheckServerIdentity to true
  actions:
  - rewrite:
      to: '{{{ expressionElement }}}(true)'