TLS Hostname Verification Issue in Apache CXF by The Apache Software Foundation
CVE-2018-8039

8.1HIGH

Key Information:

Vendor
Apache
Status
Apache Cxf
Vendor
CVE Published:
2 July 2018

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Apache CXF can be configured to utilize an outdated SSL implementation, which leads to improper handling of TLS hostname verification. This issue arises when the system property 'java.protocol.handler.pkgs' points to the non-secure com.sun.net.ssl package. The CXF framework attempts to implement hostname verification through reflection, but the default HostnameVerifier fails to properly propagate errors. As a result, clients utilizing the com.sun.net.ssl stack may inadvertently bypass critical security checks, leaving them exposed to potential man-in-the-middle attacks, where malicious entities could intercept sensitive communications without detection.

Affected Version(s)

Apache CXF prior to 3.1.16

Apache CXF 3.2.x prior to 3.2.5

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2018-8039
Created by tafamace

References

https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9c...
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2018:2428
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2018:3817
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.