CVE-2018-8039

Summary

CVE	CVE-2018-8039
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-07-02 13:29:00 UTC
Updated	2023-11-07 03:01:00 UTC
Description	It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Risk And Classification

Problem Types: CWE-755

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Cxf	All	All	All	All
Application	Apache	Cxf	All	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.1.0	All	All	All
Application	Redhat	Jboss Enterprise Application Platform	7.1.0	All	All	All

References

Reference	Source	Link	Tags
Fix hostname verification using the deprecated SSL stack · apache/cxf@fae6fab · GitHub	CONFIRM	github.com	Patch, Third Party Advisory
Apache CXF 'com.sun.net.ssl' Lets Remote Users Bypass TLS Hostname Verification on the Target System - SecurityTracker	SECTRACK	www.securitytracker.com	Third Party Advisory, VDB Entry
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Apache CXF CVE-2018-8039 TLS Hostname Verification Security Bypass Vulnerability	BID	www.securityfocus.com
[cxf-commits] 20210402 svn commit: r1073270 - in /websites/production/cxf/content: cache/main.pageCache security-advisories.data/CVE-2021-22696.txt.asc security-advisories.html		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Pony Mail!		lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc	CONFIRM	cxf.apache.org	Mailing List, Vendor Advisory
Oracle Critical Patch Update - July 2019	MISC	www.oracle.com
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Pony Mail!	MLIST	lists.apache.org
[cxf-commits] 20210616 svn commit: r1075801 - in /websites/production/cxf/content: cache/main.pageCache index.html security-advisories.data/CVE-2021-30468.txt.asc security-advisories.html		lists.apache.org
Red Hat Customer Portal	REDHAT	access.redhat.com
Pony Mail!		lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org
Pony Mail!	MLIST	lists.apache.org	Mailing List, Vendor Advisory
Oracle Critical Patch Update Advisory - January 2020	MISC	www.oracle.com
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Oracle Critical Patch Update Advisory - April 2020	N/A	www.oracle.com
Pony Mail!		lists.apache.org
Pony Mail!		lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

983484 Java (maven) Security Update for org.apache.cxf:apache-cxf (GHSA-jc7r-v6fg-2gpf)