CVE-2020-1954

Name of the Vulnerable Software and Affected Versions Apache CXF (affected versions not specified)

Description The issue is related to errors in establishing connections in the Apache CXF web services framework. It allows a remote attacker to gain unauthorized access to protected information. Specifically, Apache CXF's integration with JMX by registering an InstrumentationManager extension with the CXF bus can be exploited if the createMBServerConnectorFactory property of the default InstrumentationManagerImpl is not disabled. This vulnerability is susceptible to a man-in-the-middle (MITM) style attack, where an attacker on the same host can connect to the registry, rebind the entry to another server, and act as a proxy to the original, thereby gaining access to all information sent and received over JMX.

Recommendations As a temporary workaround, consider disabling the createMBServerConnectorFactory property of the default InstrumentationManagerImpl until a patch is available. Restrict access to the JMX registry to minimize the risk of exploitation. Avoid using the InstrumentationManager extension with the CXF bus until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.