A flaw was found in the way Apache CXF handle exceptions when CXF is configured to use the com.sun.net.ssl implementation via System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol") function. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface therefore an exception is thrown. The exception is caught in the reflection code but not properly propagated which leaves CXF client subject to man-in-the-middle attacks. Upstream Patch: https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d7
External Reference: http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2
Created cxf tracking bugs for this issue: Affects: fedora-all [bug 1596425]
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2277 https://access.redhat.com/errata/RHSA-2018:2277
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2276 https://access.redhat.com/errata/RHSA-2018:2276
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2018:2279 https://access.redhat.com/errata/RHSA-2018:2279
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2018:2425 https://access.redhat.com/errata/RHSA-2018:2425
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.4 zip Via RHSA-2018:2428 https://access.redhat.com/errata/RHSA-2018:2428
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 6 Via RHSA-2018:2423 https://access.redhat.com/errata/RHSA-2018:2423
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.1 for RHEL 7 Via RHSA-2018:2424 https://access.redhat.com/errata/RHSA-2018:2424
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2643 https://access.redhat.com/errata/RHSA-2018:2643
This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
This issue has been addressed in the following products: Red Hat JBoss Fuse Via RHSA-2018:3817 https://access.redhat.com/errata/RHSA-2018:3817