CVE-2018-8039: High severity Apache CXF vulnerability

Published Jun 26, 2018
·
Updated

A flaw was found in the way Apache CXF handle exceptions when CXF is configured to use the com.sun.net.ssl implementation via System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol") function. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface therefore an exception is thrown. The exception is caught in the reflection code but not properly propagated which leaves CXF client subject to man-in-the-middle attacks.

Upstream Patch: https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d7

Other sources

Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.

IBM

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

MITRE

Affected Software

16 affected componentsFixes available
redhat/apache-cxf<3.2.5
3.2.5
redhat/apache-cxf<3.1.16
3.1.16
Apache CXF<3.1.16
Apache CXF>=3.2.0<3.2.5
redhat JBoss Enterprise Application Platform=7.1.0
IBM Security Guardium<=10.5
IBM Security Guardium<=10.6
IBM Security Guardium<=11.0
IBM Security Guardium<=11.1
IBM Security Guardium<=11.2
IBM Security Guardium<=11.3
IBM Security Guardium<=11.4
maven/org.apache.cxf:cxf-rt-transports-http<3.1.16
3.1.16
maven/org.apache.cxf:cxf-rt-transports-http>=3.2.0<3.2.5
3.2.5
maven/org.apache.cxf:apache-cxf<3.1.16
3.1.16
maven/org.apache.cxf:apache-cxf>=3.2.0<3.2.5
3.2.5

Remediation

Patch Available

https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b

Event History

Jun 26, 2018
Data Sourced
via Red Hat·04:05 PM
DescriptionSeverityAffected Software
Jul 2, 2018
CVE Published
via MITRE·01:00 PM
Data Sourced
via MITRE·01:00 PM
DescriptionWeakness
Oct 19, 2018
Advisory Published
via GitHub·04:40 PM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2018-8039?

CVE-2018-8039 is a vulnerability in Apache CXF that could allow a remote attacker to conduct a man-in-the-middle attack.

2

How does the vulnerability in Apache CXF work?

The vulnerability is caused by configuring Apache CXF to use the com.sun.net.ssl implementation, which allows the HostnameVerifier to work with old com.sun classes.

3

What is the severity of CVE-2018-8039?

The severity of CVE-2018-8039 is high, with a CVSS score of 8.1.

4

Which software versions are affected by CVE-2018-8039?

Apache CXF versions up to 3.2.5 and versions up to 3.1.16 are affected by CVE-2018-8039.

5

How can I fix CVE-2018-8039?

To fix CVE-2018-8039, upgrade to Apache CXF version 3.2.6 or later, or version 3.1.17 or later.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203