CVE-2018-8039
Man-in-the-Middle (MITM) Attack vulnerability in cxf-rt-transports-http (Maven)

Man-in-the-Middle (MITM) Attack Proof of concept

What is CVE-2018-8039 About?

Apache CXF prior to 3.2.5 and 3.1.16 can be configured to use the `com.sun.net.ssl` implementation, but a default `HostnameVerifier` implementation in CXF improperly catches and suppresses exceptions. This prevents TLS hostname verification errors from being propagated, leaving CXF clients vulnerable to Man-in-the-Middle (MITM) attacks. Exploitation relies on specific configuration and the ability of an attacker to intercept network traffic.

Affected Software

  • org.apache.cxf:cxf-rt-transports-http
    • <3.1.16
    • >3.2.0, <3.2.5
  • org.apache.cxf:apache-cxf
    • <3.1.16
    • >3.2.0, <3.2.5

Technical Details

The vulnerability arises when Apache CXF is configured to use the deprecated com.sun.net.ssl implementation via System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol"). In this scenario, CXF attempts to make its HostnameVerifier compatible with the older com.sun.net.ssl.HostnameVerifier interface through reflection. However, the default CXF HostnameVerifier does not implement all necessary methods of this old interface, causing an exception to be thrown. Crucially, in the vulnerable versions of CXF, this exception is caught and suppressed within the reflection code without being re-thrown or properly logged. This suppression means that if a TLS certificate's hostname does not match the expected hostname during a connection attempt (e.g., in a MITM scenario), the HostnameVerifier will fail silently, leading the client to proceed with the connection despite the security risk. This bypasses a critical security control, making the CXF client susceptible to MITM attacks.

What is the Impact of CVE-2018-8039?

Successful exploitation may allow attackers to intercept and potentially modify sensitive communications between the CXF client and server, leading to data theft, credential compromise, or other security breaches.

What is the Exploitability of CVE-2018-8039?

Exploitation requires the CXF client to be configured to use the com.sun.net.ssl stack, which is not the default. An attacker must also be in a position to perform a Man-in-the-Middle attack, such as by controlling a network segment or tricking the client into connecting to an attacker-controlled endpoint with a mismatched certificate. The complexity is medium, as it requires network manipulation and specific CXF configuration. No authentication is directly required against the CXF client itself for the MITM attack to occur, but the client might be performing authenticated requests over the compromised connection. Privilege requirements for the attacker are network-level (e.g., ARP spoofing, DNS spoofing). This is a remote attack. The vulnerability is highly dependent on the insecure configuration of CXF to use the legacy SSL stack combined with an environment susceptible to network interception.

What are the Known Public Exploits?

PoC Author Link Commentary
tafamace Link PoC for CVE-2018-8039

What are the Available Fixes for CVE-2018-8039?

Available Upgrade Options

  • org.apache.cxf:apache-cxf
    • <3.1.16 → Upgrade to 3.1.16
  • org.apache.cxf:apache-cxf
    • >3.2.0, <3.2.5 → Upgrade to 3.2.5
  • org.apache.cxf:cxf-rt-transports-http
    • <3.1.16 → Upgrade to 3.1.16
  • org.apache.cxf:cxf-rt-transports-http
    • >3.2.0, <3.2.5 → Upgrade to 3.2.5

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-8039?

Similar Vulnerabilities: CVE-2014-3577 , CVE-2015-0210 , CVE-2015-8120 , CVE-2016-5389 , CVE-2017-7667

All Rights reserved 2025
Privacy Policy