There is a potential man-in-the-middle attack in Apache CXF used by WebSphere Application Server (CVE-2018-8039)
CVEID: CVE-2018-8039 DESCRIPTION: Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
The recommended solution is to apply the interim fix, Fix Pack or PTF for each named product as soon as practical. There is not an issue with JAX-WS in WebSphere Application Server Traditional.
For WebSphere Application Server Liberty using JAX-RS or JAX-WS:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH00401 for JAX-WS and PH01221 for JAX-RS
--OR–
· Apply Fix Pack 18.0.0.3 or later.
For WebSphere Application Server traditional using JAX-RS: For V9.0.0.0 through 9.0.0.8:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH01221
--OR–
· Apply Fix Pack 9.0.0.9 or later.
CPE | Name | Operator | Version |
---|---|---|---|
websphere application server | eq | 9.0 |