-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512


CVE-2018-8039: Apache CXF TLS hostname verification does not work correctly
with com.sun.net.ssl.*

Severity: Major

Vendor: The Apache Software Foundation

Versions Affected:

This vulnerability affects all versions of Apache CXF prior to 3.2.5 and 
3.1.16.

Description:

It is possible to configure CXF to use the com.sun.net.ssl implementation via:

System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");

When this system property is set, CXF uses some reflection to try to make the
HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. 
However, the default HostnameVerifier implementation in CXF does not implement
the method in this interface, and an exception is thrown. However, the
exception is caught in the reflection code and not properly propagated.

What this means is that if you are using the com.sun.net.ssl stack with CXF,
an error with TLS hostname verification will not be thrown, leaving a CXF
client subject to man-in-the-middle attacks.

This has been fixed in revision:

https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b

Migration:

Apache CXF users who are using the com.sun.net.ssl implementation should
upgrade to 3.2.5 or 3.1.16 as soon as possible.

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEE20Xs0ZuXUU9ycQWuZ7+AsQrVOYMFAlsxFawACgkQZ7+AsQrV
OYNTnQf+NPXufPNqf24h8qfexe7qo5p5yIWMqKzpaQqzjPUSMw9Bq4UhySIqbUTo
cNo2p9aSsCHYz/AYKxN2k08nqNmG/e8cHtlMGwQylbqY3WEhjQAcvkIDKtwjBIVE
4MqE6RH0wOaFab1NnbF6TWR3bmCRsr9iMuFi3RrQv7pWAS6YAoJGFEua8IVjuPrd
KypJunpOc606eRmeaD1a6sLybqkxvQhhN+xGq20MwbPSv2CVRaTGrBa1nN7kdhNW
JHVPxyvewRGuPYd5g5BfoHzvdMuIqSXK3t43PVLKTApouCXfrWkIoPIMJge30arZ
PXEwwN8LRvJfcG0CPNUb7/AAfk0VLQ==
=xqB7
-----END PGP SIGNATURE-----