8.1

CVE-2018-8039

EPSS 1.91%
Published 02.07.2018 13:29:00
Last modified 21.11.2024 04:13:09
Source security@apache.org
Teams watchlist Login
Open Login

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Affected products Warnungen 0 Metrics 3 CWE 1 References 27

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Cxf Version < 3.1.16

Apache ≫ Cxf Version >= 3.2.0 < 3.2.5

Redhat ≫ Jboss Enterprise Application Platform Version7.1.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.91%	0.823

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.8	8.6	6.4	AV:N/AC:M/Au:N/C:P/I:P/A:P

CWE-755 Improper Handling of Exceptional Conditions

The product does not handle or incorrectly handles an exceptional condition.

https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

https://www.oracle.com/security-alerts/cpujan2020.html

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

https://www.oracle.com/security-alerts/cpuapr2020.html

https://access.redhat.com/errata/RHSA-2018:3768

https://access.redhat.com/errata/RHSA-2018:2423

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2424

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2425

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2428

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3817

https://access.redhat.com/errata/RHSA-2018:2643

Third Party Advisory

http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2

Vendor Advisory

Mailing List

http://www.securityfocus.com/bid/106357

http://www.securitytracker.com/id/1041199

Third Party Advisory

VDB Entry

https://access.redhat.com/errata/RHSA-2018:2276

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2277

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2279

Third Party Advisory

https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b

Patch

Third Party Advisory

https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3E

https://nvd.nist.gov/vuln/detail/CVE-2018-8039

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-8039

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-8039

EUVD