It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
References
Link Providers
http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2 cve-icon cve-icon cve-icon
http://www.securityfocus.com/bid/106357 cve-icon cve-icon
http://www.securitytracker.com/id/1041199 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2276 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2277 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2279 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2423 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2424 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2425 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2428 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:2643 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3768 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2018:3817 cve-icon cve-icon
https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b cve-icon cve-icon
https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2018-8039 cve-icon
https://www.cve.org/CVERecord?id=CVE-2018-8039 cve-icon
https://www.oracle.com/security-alerts/cpuapr2020.html cve-icon cve-icon
https://www.oracle.com/security-alerts/cpujan2020.html cve-icon cve-icon
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html cve-icon cve-icon
History

Fri, 23 Aug 2024 05:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:jboss_enterprise_application_platform:7::el7 cpe:/a:redhat:jboss_enterprise_application_platform:7.1::el7

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published: 2018-07-02T13:00:00Z

Updated: 2024-09-17T04:04:46.184Z

Reserved: 2018-03-09T00:00:00

Link: CVE-2018-8039

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2018-07-02T13:29:00.413

Modified: 2024-11-21T04:13:09.517

Link: CVE-2018-8039

cve-icon Redhat

Severity : Important

Publid Date: 2018-06-29T00:00:00Z

Links: CVE-2018-8039 - Bugzilla