Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-8039

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Published

2018-07-02T13:29:00.413

Last Modified

2024-11-21T04:13:09.517

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.1 (HIGH)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

8.6

Impact Score

6.4

Weaknesses

Type: Primary
CWE-755

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	cxf	< 3.1.16	Yes
Application	apache	cxf	< 3.2.5	Yes
Application	redhat	jboss_enterprise_application_platform	7.1.0	Yes

References

http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2 Mailing List, Vendor Advisory ([email protected])
http://www.securityfocus.com/bid/106357 ([email protected])
http://www.securitytracker.com/id/1041199 Third Party Advisory, VDB Entry ([email protected])
https://access.redhat.com/errata/RHSA-2018:2276 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2277 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2279 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2423 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2424 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2425 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2428 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:2643 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2018:3768 ([email protected])
https://access.redhat.com/errata/RHSA-2018:3817 ([email protected])
https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b Patch, Third Party Advisory ([email protected])
https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E ([email protected])
https://www.oracle.com/security-alerts/cpuapr2020.html ([email protected])
https://www.oracle.com/security-alerts/cpujan2020.html ([email protected])
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html ([email protected])
http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2 Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/106357 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1041199 Third Party Advisory, VDB Entry (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2276 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2277 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2279 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2423 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2424 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2425 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2428 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:2643 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:3768 (af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:3817 (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2020.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpujan2020.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html (af854a3a-2127-422b-91ae-364da2661108)