Vulnerability Details : CVE-2018-8039
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
Products affected by CVE-2018-8039
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:cxf:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-8039
1.91%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 82 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-8039
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:P |
8.6
|
6.4
|
NIST | |
|
8.1
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
2.2
|
5.9
|
NIST |
CWE ids for CVE-2018-8039
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-8039
-
https://access.redhat.com/errata/RHSA-2018:2277
RHSA-2018:2277 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020
-
https://access.redhat.com/errata/RHSA-2018:2428
RHSA-2018:2428 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2
Mailing List;Vendor Advisory
-
http://www.securitytracker.com/id/1041199
Apache CXF 'com.sun.net.ssl' Lets Remote Users Bypass TLS Hostname Verification on the Target System - SecurityTrackerThird Party Advisory;VDB Entry
-
https://www.oracle.com/security-alerts/cpuapr2020.html
Oracle Critical Patch Update Advisory - April 2020
-
https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866@%3Cdev.cxf.apache.org%3E
Apache CXF 3.2.6 and 3.1.16 are released - Pony MailMailing List;Vendor Advisory
-
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf@%3Ccommits.cxf.apache.org%3E
svn commit: r1058035 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-17573.txt.asc security-advisories.html - Pony Mail
-
https://access.redhat.com/errata/RHSA-2018:2276
RHSA-2018:2276 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Oracle Critical Patch Update - July 2019
-
https://access.redhat.com/errata/RHSA-2018:2423
RHSA-2018:2423 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3768
RHSA-2018:3768 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2018:3817
RHSA-2018:3817 - Security Advisory - Red Hat Customer Portal
-
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c@%3Ccommits.cxf.apache.org%3E
svn commit: r1055336 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2019-12423.txt.asc security-advisories.data/CVE-2019-17573.txt.asc security-advisories.htm
-
https://access.redhat.com/errata/RHSA-2018:2425
RHSA-2018:2425 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4@%3Ccommits.cxf.apache.org%3E
svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html - Pony Mail
-
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6@%3Ccommits.cxf.apache.org%3E
svn commit: r1067927 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2020-13954.txt.asc security-advisories.html - Pony Mail
-
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4@%3Ccommits.cxf.apache.org%3E
svn commit: r1058573 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2020-1954.txt.asc security-advisories.html - Pony Mail
-
https://access.redhat.com/errata/RHSA-2018:2643
RHSA-2018:2643 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2424
RHSA-2018:2424 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:2279
RHSA-2018:2279 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e@%3Ccommits.cxf.apache.org%3E
svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html - Pony Mail
-
http://www.securityfocus.com/bid/106357
Apache CXF CVE-2018-8039 TLS Hostname Verification Security Bypass Vulnerability
-
https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b
Fix hostname verification using the deprecated SSL stack · apache/cxf@fae6fab · GitHubPatch;Third Party Advisory
Jump to