CVE-2018-8039

Name of the Vulnerable Software and Affected Versions: Apache CXF versions prior to 3.2.5 Apache CXF versions prior to 3.1.16

Description: The issue is related to the configuration of Apache CXF to use the com.sun.net.ssl implementation. When this system property is set, CXF uses reflection to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. In Apache CXF prior to the specified versions, the exception is caught in the reflection code and not properly propagated, which means that an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Recommendations: For Apache CXF versions prior to 3.2.5, update to version 3.2.5 or later to resolve the issue. For Apache CXF versions prior to 3.1.16, update to version 3.1.16 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the com.sun.net.ssl stack with CXF until a patch is available.