{"id":"CVE-2018-8039","details":"It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty(\"java.protocol.handler.pkgs\", \"com.sun.net.ssl.internal.www.protocol\");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.","aliases":["GHSA-jc7r-v6fg-2gpf"],"modified":"2026-04-11T08:05:22.609825Z","published":"2018-07-02T13:29:00.413Z","references":[{"type":"WEB","url":"http://www.securityfocus.com/bid/106357"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rc774278135816e7afc943dc9fc78eb0764f2c84a2b96470a0187315c%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rec7160382badd3ef4ad017a22f64a266c7188b9ba71394f0d321e2d4%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rd49aabd984ed540c8ff7916d4d79405f3fa311d2fdbcf9ed307839a6%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfb87e0bf3995e7d560afeed750fac9329ff5f1ad49da365129b7f89e%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rff42cfa5e7d75b7c1af0e37589140a8f1999e578a75738740b244bd4%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/1f8ff31df204ad0374ab26ad333169e0387a5e7ec92422f337431866%40%3Cdev.cxf.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r36e44ffc1a9b365327df62cdfaabe85b9a5637de102cea07d79b2dbf%40%3Ccommits.cxf.apache.org%3E"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujan2020.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2276"},{"type":"ADVISORY","url":"http://cxf.apache.org/security-advisories.data/CVE-2018-8039.txt.asc?version=1&modificationDate=1530184663000&api=v2"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2425"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2643"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3768"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1041199"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2277"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2279"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2423"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:3817"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2424"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2428"},{"type":"ADVISORY","url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"type":"FIX","url":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/cxf","events":[{"introduced":"0"},{"fixed":"103932060cb426d1eea3fe28ae029b337c8ebd89"},{"introduced":"f5ee3b786e22a081121eeebbba6d02fa9f4e7206"},{"fixed":"bc2f01b3c76266b9dd138ba33c226b303e33713d"},{"fixed":"fae6fabf9bd7647f5e9cb68897a7d72b545b741b"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.1.16"},{"introduced":"3.2.0"},{"fixed":"3.2.5"}]}}],"versions":["cxf-2.1","cxf-2.1.2","cxf-2.2","cxf-2.2.1","cxf-2.2.2","cxf-2.3.0","cxf-2.4.0","cxf-2.5.0","cxf-2.5.1","cxf-2.6.0","cxf-2.6.1","cxf-2.7.0","cxf-2.7.1","cxf-2.7.2","cxf-3.0.0","cxf-3.0.0-milestone2","cxf-3.1.0","cxf-3.1.1","cxf-3.1.10","cxf-3.1.11","cxf-3.1.12","cxf-3.1.13","cxf-3.1.14","cxf-3.1.15","cxf-3.1.2","cxf-3.1.3","cxf-3.1.4","cxf-3.1.5","cxf-3.1.6","cxf-3.1.7","cxf-3.1.8","cxf-3.1.9","cxf-3.2.0","cxf-3.2.1","cxf-3.2.2","cxf-3.2.3","cxf-3.2.4"],"database_specific":{"vanir_signatures":[{"digest":{"length":180,"function_hash":"84945857156092962710129030850930809493"},"source":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b","signature_type":"Function","target":{"function":"invoke","file":"rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-8039-1e5f5859"},{"digest":{"line_hashes":["213913390259491039131549401267186375028","335391923332883398951730313256478179123"],"threshold":0.9},"source":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b","signature_type":"Line","target":{"file":"rt/transports/http/src/main/java/org/apache/cxf/transport/https/AllowAllHostnameVerifier.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-8039-30fadbcc"},{"digest":{"length":2501,"function_hash":"303838424797550863392538980852074412340"},"source":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b","signature_type":"Function","target":{"function":"decorateWithTLS","file":"rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-8039-3480313c"},{"digest":{"line_hashes":["188461621133119421001549968880047904997","117411491607624719512441840354788300152","329208879483314357076888436045139267436","238150500670111072594087164928134947741"],"threshold":0.9},"source":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b","signature_type":"Line","target":{"file":"rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-8039-8b78643f"},{"digest":{"line_hashes":["88210350243782250675121449946846566935","324313358388823458397964355427546229776","177231698756307637688848807439312338449"],"threshold":0.9},"source":"https://github.com/apache/cxf/commit/fae6fabf9bd7647f5e9cb68897a7d72b545b741b","signature_type":"Line","target":{"file":"rt/transports/http/src/main/java/org/apache/cxf/transport/https/httpclient/DefaultHostnameVerifier.java"},"signature_version":"v1","deprecated":false,"id":"CVE-2018-8039-d69fdc8d"}],"vanir_signatures_modified":"2026-04-11T08:05:22Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-8039.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.1.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}