Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2018-8039

Published: 02/07/2018 Updated: 07/11/2023
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Cxf

Vulnerability Summary

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF before 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache cxf

redhat jboss enterprise application platform 7.1.0

Vendor Advisories

Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 71 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat JBoss Enterprise Application Platform from the Customer PortalRed Hat Product Security has rated this update as having a secu ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 71 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat JBoss Enterprise Application Platform from the Customer PortalRed Hat Product Security has rated this update as having a secu ...
Red Hat: Important: Red Hat Single Sign-On 7.2 security update
Synopsis Important: Red Hat Single Sign-On 72 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat Single Sign-On 72 from theCustomer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerab ...
Red Hat: Important: Red Hat Fuse 7.2 security update
Synopsis Important: Red Hat Fuse 72 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat FuseRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a de ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1.4 on RHEL7 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 714 on RHEL7 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1.4 on RHEL 6 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 714 on RHEL 6 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 71 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as ...
Red Hat: Important: Red Hat JBoss Enterprise Application Platform 7.1 security update
Synopsis Important: Red Hat JBoss Enterprise Application Platform 71 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat JBoss Enterprise Application Platform from the Customer PortalRed Hat Product Security has rated this update as having a secu ...
Red Hat: Important: rhvm-appliance security update
Synopsis Important: rhvm-appliance security update Type/Severity Security Advisory: Important Topic An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vuln ...
Red Hat: Important: Red Hat JBoss Fuse/A-MQ 6.3 R10 security and bug fix update
Synopsis Important: Red Hat JBoss Fuse/A-MQ 63 R10 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Fuse 63 and Red Hat JBoss A-MQ 63Red Hat Product Security has rated this update as having a security impact of Important A Common ...
Red Hat: Important: Red Hat Single Sign-On 7.2.4 security update
Synopsis Important: Red Hat Single Sign-On 724 security update Type/Severity Security Advisory: Important Topic A security update is now available for Red Hat Single Sign-On 72 from theCustomer PortalRed Hat Product Security has rated this update as having a security impact of Important A Common Vulner ...
Red Hat: CVE-2018-8039
It was discovered that when Apache CXF is configured to use the system property comsunnetsslinternalwwwprotocol ,it uses reflection to make the HostnameVerifier work with old comsunnetsslHostnameVerifier interface Although the CXF implementation throws an exception, which is caught in the reflection code but it is not properly propagated ...

References

CWE-755https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741bhttp://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2http://www.securitytracker.com/id/1041199https://access.redhat.com/errata/RHSA-2018:2279https://access.redhat.com/errata/RHSA-2018:2277https://access.redhat.com/errata/RHSA-2018:2276https://access.redhat.com/errata/RHSA-2018:2428https://access.redhat.com/errata/RHSA-2018:2425https://access.redhat.com/errata/RHSA-2018:2424https://access.redhat.com/errata/RHSA-2018:2423https://access.redhat.com/errata/RHSA-2018:2643https://access.redhat.com/errata/RHSA-2018:3768https://access.redhat.com/errata/RHSA-2018:3817http://www.securityfocus.com/bid/106357https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3Ehttps://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3Ehttps://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2018:2276https://access.redhat.com/security/cve/cve-2018-8039
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3400CVE-2023-7252CVE-2024-21111denial of serviceCVE-2024-29661CVE-2024-22856remote attackersencryptionCVE-2023-38299
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook