Bug 1595332 (CVE-2018-8039)
Summary: | CVE-2018-8039 apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abhgupta, alazarot, anstephe, asoldano, avibelli, bgeorges, bmaxwell, bmcclain, cdewolf, chazlett, csutherl, darran.lofthouse, dbaker, dblechte, dimitris, dmoppert, dosoudil, drieden, eedri, etirelli, fgavrilo, ibek, ikanello, jawilson, jbalunas, jcantril, jokerman, jolee, jondruse, jpallich, jschatte, jshepherd, jstastny, krathod, kverlaen, lef, lgao, lpetrovi, lthon, mgoldboi, michal.skrivanek, mszynkie, myarboro, paradhya, pdrozd, periklis, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, psotirop, puntogil, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rzhang, sbonazzo, sdaley, security-response-team, sgoodman, sherold, sstavrev, sthangav, sthorger, trankin, trogers, twalsh, vhalbert, vtunka |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | apache-cxf 3.2.5, apache-cxf 3.1.16 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was discovered that when Apache CXF is configured to use the system property com.sun.net.ssl.internal.www.protocol ,it uses reflection to make the HostnameVerifier work with old com.sun.net.ssl.HostnameVerifier interface. Although the CXF implementation throws an exception, which is caught in the reflection code but it is not properly propagated, this can lead to a man-in-the-middle attack.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:30:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1596425, 1597534, 1597535 | ||
Bug Blocks: | 1595337 |
Description
Laura Pardo
2018-06-26 16:05:31 UTC
External Reference: http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2 Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1596425] This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2277 https://access.redhat.com/errata/RHSA-2018:2277 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2276 https://access.redhat.com/errata/RHSA-2018:2276 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2018:2279 https://access.redhat.com/errata/RHSA-2018:2279 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425 This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.4 zip Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643 This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768 This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:3817 https://access.redhat.com/errata/RHSA-2018:3817 |