Security Bulletin: Potential MITM attack in Apache CXF used by IBM® WebSphere™ Application Server Liberty affects IBM® SPSS Analytic Server (CVE-2018-8039)

Summary

There is a potential man-in-the-middle attack in Apache CXF used by IBM WebSphere Application Server Liberty that affects SPSS Analytic Server.

Vulnerability Details

CVEID: CVE-2018-8039 DESCRIPTION: Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.

CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145516&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

IBM SPSS Analytic Server 2.0.0.0
IBM SPSS Analytic Server 2.1.0.0
IBM SPSS Analytic Server 3.0.0.0
IBM SPSS Analytic Server 3.1.0.0

Remediation/Fixes

Affected IBM SPSS Analytic Server users need to update their IBM WebSphere Application Server instances. Please refer to the following security bulletin for a list of the IBM WebSphere Application Server fix packs that the fix is delivered in and for links to the interim fixes: <https://www-01.ibm.com/support/docview.wss?uid=ibm10720065&gt;

Workarounds and Mitigations

None