It was discovered that when Apache CXF is configured to use the system property com.sun.net.ssl.internal.www.protocol ,it uses reflection to make the HostnameVerifier work with old com.sun.net.ssl.HostnameVerifier interface. Although the CXF implementation throws an exception, which is caught in the reflection code but it is not properly propagated, this can lead to a man-in-the-middle attack.
Find out more about CVE-2018-8039 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS3 Base Score | 6.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | Low |
Integrity Impact | Low |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts (rhvm-appliance) | RHSA-2018:2643 | 2018-09-04 |
Red Hat JBoss EAP 7.1 | RHSA-2018:2277 | 2018-07-26 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server | RHSA-2018:2424 | 2018-08-15 |
Red Hat JBoss Fuse 6.3 | RHSA-2018:3817 | 2018-12-11 |
Red Hat JBoss EAP 7.1 | RHSA-2018:2425 | 2018-08-15 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server | RHSA-2018:2423 | 2018-08-15 |
Red Hat JBoss Fuse 7 | RHSA-2018:3768 | 2018-12-04 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-apache-cxf) | RHSA-2018:2276 | 2018-07-26 |
Red Hat Single Sign-On 7.2 | RHSA-2018:2279 | 2018-07-26 |
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-apache-cxf) | RHSA-2018:2276 | 2018-07-26 |
Red Hat Single Sign-On 7.2 | RHSA-2018:2428 | 2018-08-15 |
Red Hat JBoss A-MQ 6.3 | RHSA-2018:3817 | 2018-12-11 |
Platform | Package | State |
---|---|---|
Red Hat Virtualization 4 | eap7-apache-cxf | Affected |
Red Hat Single Sign-On 7 | cxf-core | Affected |
Red Hat OpenShift Application Runtimes 1.0 | springboot | Affected |
Red Hat JBoss EAP 6 | cxf-core | Not affected |
Red Hat JBoss Data Virtualization 6 | cxf-core | Under investigation |
Red Hat JBoss BRMS 6 | cxf | Affected |
Red Hat JBoss BPMS 6 | cxf-core | Affected |