| -----BEGIN PGP SIGNED MESSAGE----- |
| Hash: SHA512 |
| |
| |
| CVE-2018-8039: Apache CXF TLS hostname verification does not work correctly |
| with com.sun.net.ssl.* |
| |
| Severity: Major |
| |
| Vendor: The Apache Software Foundation |
| |
| Versions Affected: |
| |
| This vulnerability affects all versions of Apache CXF prior to 3.2.5 and |
| 3.1.16. |
| |
| Description: |
| |
| It is possible to configure CXF to use the com.sun.net.ssl implementation via: |
| |
| System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"); |
| |
| When this system property is set, CXF uses some reflection to try to make the |
| HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. |
| However, the default HostnameVerifier implementation in CXF does not implement |
| the method in this interface, and an exception is thrown. However, the |
| exception is caught in the reflection code and not properly propagated. |
| |
| What this means is that if you are using the com.sun.net.ssl stack with CXF, |
| an error with TLS hostname verification will not be thrown, leaving a CXF |
| client subject to man-in-the-middle attacks. |
| |
| This has been fixed in revision: |
| |
| https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b |
| |
| Migration: |
| |
| Apache CXF users who are using the com.sun.net.ssl implementation should |
| upgrade to 3.2.5 or 3.1.16 as soon as possible. |
| |
| -----BEGIN PGP SIGNATURE----- |
| |
| iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAlsxFawACgkQZ7+AsQrV |
| OYNTnQf+NPXufPNqf24h8qfexe7qo5p5yIWMqKzpaQqzjPUSMw9Bq4UhySIqbUTo |
| cNo2p9aSsCHYz/AYKxN2k08nqNmG/e8cHtlMGwQylbqY3WEhjQAcvkIDKtwjBIVE |
| 4MqE6RH0wOaFab1NnbF6TWR3bmCRsr9iMuFi3RrQv7pWAS6YAoJGFEua8IVjuPrd |
| KypJunpOc606eRmeaD1a6sLybqkxvQhhN+xGq20MwbPSv2CVRaTGrBa1nN7kdhNW |
| JHVPxyvewRGuPYd5g5BfoHzvdMuIqSXK3t43PVLKTApouCXfrWkIoPIMJge30arZ |
| PXEwwN8LRvJfcG0CPNUb7/AAfk0VLQ== |
| =xqB7 |
| -----END PGP SIGNATURE----- |