Symantec Security ResponseSMNTC-106357Apache CXF CVE-2018-8039 TLS Hostname Verification Security Bypass Vulnerability
Description
Apache CXF is prone to a security-bypass vulnerability. Successfully exploiting this issue may allow attackers to obtain sensitive information by conducting a man-in-the-middle attack. This may lead to other attacks. The following versions of product are vulnerable: Apache CXF 3.1.16 and prior Apache CXF 3.2.5 and prior
Technologies Affected
- Apache Cxf 2.4.0
- Apache Cxf 2.4.1
- Apache Cxf 2.4.2
- Apache Cxf 2.4.3
- Apache Cxf 2.4.4
- Apache Cxf 2.4.5
- Apache Cxf 2.4.6
- Apache Cxf 2.4.7
- Apache Cxf 2.5.0
- Apache Cxf 2.5.1
- Apache Cxf 2.5.2
- Apache Cxf 2.5.3
- Apache Cxf 2.5.4
- Apache Cxf 2.5.5
- Apache Cxf 2.5.6
- Apache Cxf 2.5.7
- Apache Cxf 2.5.8
- Apache Cxf 2.5.9
- Apache Cxf 2.6.0
- Apache Cxf 2.6.1
- Apache Cxf 2.6.10
- Apache Cxf 2.6.11
- Apache Cxf 2.6.12
- Apache Cxf 2.6.13
- Apache Cxf 2.6.14
- Apache Cxf 2.6.2
- Apache Cxf 2.6.3
- Apache Cxf 2.6.4
- Apache Cxf 2.6.5
- Apache Cxf 2.6.6
- Apache Cxf 2.6.7
- Apache Cxf 2.6.8
- Apache Cxf 2.6.9
- Apache Cxf 2.7.0
- Apache Cxf 2.7.1
- Apache Cxf 2.7.10
- Apache Cxf 2.7.11
- Apache Cxf 2.7.12
- Apache Cxf 2.7.13
- Apache Cxf 2.7.14
- Apache Cxf 2.7.15
- Apache Cxf 2.7.16
- Apache Cxf 2.7.17
- Apache Cxf 2.7.18
- Apache Cxf 2.7.2
- Apache Cxf 2.7.3
- Apache Cxf 2.7.4
- Apache Cxf 2.7.5
- Apache Cxf 2.7.6
- Apache Cxf 2.7.7
- Apache Cxf 2.7.8
- Apache Cxf 2.7.9
- Apache Cxf 3.1.0
- Apache Cxf 3.1.1
- Apache Cxf 3.1.10
- Apache Cxf 3.1.11
- Apache Cxf 3.1.12
- Apache Cxf 3.1.13
- Apache Cxf 3.1.14
- Apache Cxf 3.1.15
- Apache Cxf 3.1.2
- Apache Cxf 3.1.3
- Apache Cxf 3.1.7
- Apache Cxf 3.1.8
- Apache Cxf 3.1.9
- Apache Cxf 3.2.0
- Apache Cxf 3.2.1
- Apache Cxf 3.2.2
- Apache Cxf 3.2.3
- Apache Cxf 3.2.4
- Oracle Communications Diameter Signaling Router 8.0
- Oracle Communications Diameter Signaling Router 8.1
- Oracle Communications Diameter Signaling Router 8.2
- Oracle Enterprise Manager Base Platform 12.1.0.5.0
- Oracle Enterprise Manager Base Platform 13.2.0.0.0
- Oracle Enterprise Manager Base Platform 13.3.0.0.0
- Oracle FLEXCUBE Private Banking 12.0.1
- Oracle FLEXCUBE Private Banking 12.0.3
- Oracle FLEXCUBE Private Banking 12.1.0
- Oracle Retail Order Broker 15.0
- Oracle Retail Order Broker 5.2
- Redhat JBoss BPMS 6.0
- Redhat JBoss BRMS 6.0
- Redhat JBoss Data Virtualization 6.0.0
- Redhat Jboss EAP 6
- Redhat Openshift Application Runtimes 1.0
- Redhat Single Sign-On 7.0
- Redhat Virtualization 4
- SAP HANA 1.00
Recommendations
Block external access at the network boundary, unless external parties require service.
If global access isnโt needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.
Implement multiple redundant layers of security.
Use of multiple redundant layers of encryption may reduce exposure to this and other latent vulnerabilities.
Updates are available. Please see the references or vendor advisory for more information.
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache cxf | eq | 2.5.1 | |
| apache cxf | eq | 3.1.8 | |
| apache cxf | eq | 2.7.11 | |
| apache cxf | eq | 3.1.15 | |
| apache cxf | eq | 3.1.13 | |
| apache cxf | eq | 2.6.8 | |
| apache cxf | eq | 2.5.4 | |
| apache cxf | eq | 2.7.4 | |
| apache cxf | eq | 2.4.6 | |
| apache cxf | eq | 3.1.11 |
Related
