InsecureJavaMail.qhelp

<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
<qhelp>

  <overview>
    <p>JavaMail is commonly used in Java applications to send emails. There are popular third-party libraries like Apache Commons Email which are built on JavaMail and facilitate integration. Authenticated mail sessions require user credentials and mail sessions can require SSL/TLS authentication. It is a common security vulnerability that host-specific certificate data is not validated or is incorrectly validated. Failing to validate the certificate makes the SSL session susceptible to a man-in-the-middle attack.</p>
    <p>This query checks whether the SSL certificate is validated when credentials are used and SSL is enabled in email communications.</p>
    <p>The query has code for both plain JavaMail invocation and mailing through Apache SimpleMail to make it more comprehensive.</p>
  </overview>

  <recommendation>
    <p>Validate SSL certificate when sensitive information is sent in email communications.</p>
  </recommendation>

  <example>
    <p>The following two examples show two ways of configuring secure emails through JavaMail or Apache SimpleMail. In the 'BAD' case,
credentials are sent in an SSL session without certificate validation. In the 'GOOD' case, the certificate is validated.</p>
    <sample src="JavaMail.java" />
    <sample src="SimpleMail.java" />
  </example>

  <references>
    <li>
      Jakarta Mail:
      <a href="https://eclipse-ee4j.github.io/mail/docs/SSLNOTES.txt">SSL Notes</a>.
    </li>
    <li>
      Apache Commons:
      <a href="https://commons.apache.org/proper/commons-email/userguide.html#Security">Email security</a>.
    </li>
    <li>
      Log4j2:
      <a href="https://issues.apache.org/jira/browse/LOG4J2-2819">Add support for specifying an SSL configuration for SmtpAppender (CVE-2020-9488)</a>.
    </li>
  </references>
</qhelp>