IBM125E44D45AA93915B3C60576846886B18AC5116FC62634B15C2D8D3A636EC613Security Bulletin: Potential MITM attack in Apache CXF used by WebSphere Application Server (CVE-2018-8039)
0.007 Low
EPSS
Percentile
80.9%
Summary
There is a potential man-in-the-middle attack in Apache CXF used by WebSphere Application Server (CVE-2018-8039)
Vulnerability Details
CVEID: CVE-2018-8039 DESCRIPTION: Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
- WebSphere Application Server Liberty
- WebSphere Application Server Version 9.0
Remediation/Fixes
The recommended solution is to apply the interim fix, Fix Pack or PTF for each named product as soon as practical. There is not an issue with JAX-WS in WebSphere Application Server Traditional.
For WebSphere Application Server Liberty using JAX-RS or JAX-WS:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH00401 for JAX-WS and PH01221 for JAX-RS
--OR–
· Apply Fix Pack 18.0.0.3 or later.
For WebSphere Application Server traditional using JAX-RS: For V9.0.0.0 through 9.0.0.8:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH01221
--OR–
· Apply Fix Pack 9.0.0.9 or later.
| CPE | Name | Operator | Version |
|---|---|---|---|
| websphere application server | eq | 9.0 |
Related
0.007 Low
EPSS
Percentile
80.9%