diff --git a/SOURCES/jakarta-commons-httpclient-CVE-2014-3577.patch b/SOURCES/jakarta-commons-httpclient-CVE-2014-3577.patch
new file mode 100644
index 0000000..ac69c0b
--- /dev/null
+++ b/SOURCES/jakarta-commons-httpclient-CVE-2014-3577.patch
@@ -0,0 +1,92 @@
+From 6f55656e288808437389f7d733e9a466fa5f0e2b Mon Sep 17 00:00:00 2001
+From: Michal Srb <msrb@redhat.com>
+Date: Tue, 12 Aug 2014 16:14:06 +0200
+Subject: [PATCH] Fix CVE-2014-3577
+
+---
+ .../protocol/SSLProtocolSocketFactory.java         | 57 ++++++++++++++--------
+ 1 file changed, 37 insertions(+), 20 deletions(-)
+
+diff --git a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+index fa0acc7..e6ce513 100644
+--- a/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
++++ b/src/java/org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java
+@@ -44,9 +44,15 @@ import java.util.Iterator;
+ import java.util.LinkedList;
+ import java.util.List;
+ import java.util.Locale;
+-import java.util.StringTokenizer;
++import java.util.NoSuchElementException;
+ import java.util.regex.Pattern;
+ 
++import javax.naming.InvalidNameException;
++import javax.naming.NamingException;
++import javax.naming.directory.Attribute;
++import javax.naming.directory.Attributes;
++import javax.naming.ldap.LdapName;
++import javax.naming.ldap.Rdn;
+ import javax.net.ssl.SSLException;
+ import javax.net.ssl.SSLSession;
+ import javax.net.ssl.SSLSocket;
+@@ -424,28 +430,39 @@ public class SSLProtocolSocketFactory implements SecureProtocolSocketFactory {
+ 		return dots;
+ 	}
+ 
+-	private static String getCN(X509Certificate cert) {
+-        // Note:  toString() seems to do a better job than getName()
+-        //
+-        // For example, getName() gives me this:
+-        // 1.2.840.113549.1.9.1=#16166a756c6975736461766965734063756362632e636f6d
+-        //
+-        // whereas toString() gives me this:
+-        // EMAILADDRESS=juliusdavies@cucbc.com        
+-		String subjectPrincipal = cert.getSubjectX500Principal().toString();
+-		
+-		return getCN(subjectPrincipal);
+-
++	private static String getCN(final X509Certificate cert) {
++		final String subjectPrincipal = cert.getSubjectX500Principal().toString();
++		try {
++			return extractCN(subjectPrincipal);
++		} catch (SSLException ex) {
++			return null;
++		}
+ 	}
+-	private static String getCN(String subjectPrincipal) {
+-		StringTokenizer st = new StringTokenizer(subjectPrincipal, ",");
+-		while(st.hasMoreTokens()) {
+-			String tok = st.nextToken().trim();
+-			if (tok.length() > 3) {
+-				if (tok.substring(0, 3).equalsIgnoreCase("CN=")) {
+-					return tok.substring(3);
++
++	private static String extractCN(final String subjectPrincipal) throws SSLException {
++		if (subjectPrincipal == null) {
++			return null;
++		}
++		try {
++			final LdapName subjectDN = new LdapName(subjectPrincipal);
++			final List<Rdn> rdns = subjectDN.getRdns();
++			for (int i = rdns.size() - 1; i >= 0; i--) {
++				final Rdn rds = rdns.get(i);
++				final Attributes attributes = rds.toAttributes();
++				final Attribute cn = attributes.get("cn");
++				if (cn != null) {
++					try {
++						final Object value = cn.get();
++						if (value != null) {
++							return value.toString();
++						}
++					} catch (NoSuchElementException ignore) {
++					} catch (NamingException ignore) {
++					}
+ 				}
+ 			}
++		} catch (InvalidNameException e) {
++			throw new SSLException(subjectPrincipal + " is not a valid X500 distinguished name");
+ 		}
+ 		return null;
+ 	}
+-- 
+1.9.3
+
diff --git a/SPECS/jakarta-commons-httpclient.spec b/SPECS/jakarta-commons-httpclient.spec
index 645bfcc..c89b2c7 100644
--- a/SPECS/jakarta-commons-httpclient.spec
+++ b/SPECS/jakarta-commons-httpclient.spec
@@ -32,7 +32,7 @@
 
 Name:           jakarta-commons-httpclient
 Version:        3.1
-Release:        15%{?dist}
+Release:        16%{?dist}
 Epoch:          1
 Summary: Jakarta Commons HTTPClient implements the client side of HTTP standards
 License:        ASL 2.0 and (ASL 2.0 or LGPLv2+)
@@ -45,6 +45,7 @@ Patch2:         %{name}-encoding.patch
 # CVE-2012-5783: missing connection hostname check against X.509 certificate name
 # https://fisheye6.atlassian.com/changelog/httpcomponents?cs=1422573
 Patch3:         %{name}-CVE-2012-5783.patch
+Patch4:         %{name}-CVE-2014-3577.patch
 URL:            http://jakarta.apache.org/commons/httpclient/
 Group:          Development/Libraries
 BuildArch:      noarch
@@ -124,6 +125,7 @@ popd
 
 %patch2
 %patch3 -p2
+%patch4 -p1
 
 # Use javax classes, not com.sun ones
 # assume no filename contains spaces
@@ -195,6 +197,10 @@ install -p -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_mavenpomdir}/JPP-%{name}.pom
 
 
 %changelog
+* Tue Aug 12 2014 Michal Srb <msrb@redhat.com> - 1:3.1-16
+- Fix MITM security vulnerability
+- Resolves: CVE-2014-3577
+
 * Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 1:3.1-15
 - Mass rebuild 2013-12-27