Home > Vulnerability Database > CVE-2018-8039

Mend.io Vulnerability Database

CVE-2018-8039

Good to know:

Date: June 27, 2018

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol";);'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Language: Java

Severity Score

8.1

Related Resources (26)

Url: https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E

Url: https://www.oracle.com/security-alerts/cpuapr2020.html

Url: https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Url: http://www.securitytracker.com/id/1041199

Url: https://access.redhat.com/errata/RHSA-2018:3768

Url: https://access.redhat.com/errata/RHSA-2018:2643

Url: https://access.redhat.com/errata/RHSA-2018:2423

Url: https://access.redhat.com/errata/RHSA-2018:2424

Url: https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E

Url: https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:3817

Url: https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E

Url: http://www.securityfocus.com/bid/106357

Url: https://access.redhat.com/errata/RHSA-2018:2428

Url: https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:2425

Url: https://nvd.nist.gov/vuln/detail/CVE-2018-8039

Url: https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b

Url: https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3E

Url: http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2

Url: https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2018:2279

Url: https://www.oracle.com/security-alerts/cpujan2020.html

Url: https://access.redhat.com/errata/RHSA-2018:2276

Url: https://access.redhat.com/errata/RHSA-2018:2277

Url: https://www.mend.io/vulnerability-database/CVE-2018-8039

Severity Score

8.1

Weakness Type (CWE)

Security Features

CWE-254

Improper Handling of Exceptional Conditions

CWE-755

Top Fix

Upgrade Version

Upgrade to version 3.2.5,3.1.16

Learn More

CVSS v3.1

Base Score:	8.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2018-8039

Good to know:

Date: June 27, 2018

Language: Java

Severity Score

Related Resources (26)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?