The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache CXF: Man-in-the-Middle via com.sun.net.ssl

Synthesis of the vulnerability 

An attacker can act as a Man-in-the-Middle via com.sun.net.ssl on Apache CXF, in order to read or write data in the session.
Vulnerable systems: Business Objects, Rational ClearCase, WebSphere AS Liberty, WebSphere AS Traditional, Oracle Communications, WebLogic, JBoss EAP by Red Hat, SAP ERP, NetWeaver.
Severity of this threat: 2/4.
Creation date: 27/07/2018.
Références of this weakness: cpuapr2020, cpujul2019, CVE-2018-8039, ibm10720065, ibm10734899, RHSA-2018:2276-01, RHSA-2018:2277-01, RHSA-2018:2423-01, RHSA-2018:2424-01, RHSA-2018:2425-01, RHSA-2018:3817-01, VIGILANCE-VUL-26852.

Description of the vulnerability 

An attacker can act as a Man-in-the-Middle via com.sun.net.ssl on Apache CXF, in order to read or write data in the session.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity note impacts software or systems such as Business Objects, Rational ClearCase, WebSphere AS Liberty, WebSphere AS Traditional, Oracle Communications, WebLogic, JBoss EAP by Red Hat, SAP ERP, NetWeaver.

Our Vigil@nce team determined that the severity of this computer weakness announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet server.

An attacker with a expert ability can exploit this cybersecurity vulnerability.

Solutions for this threat 

IBM Rational ClearCase: patch for WebSphere AS.
A patch is indicated in information sources.

Oracle Communications: CPU of April 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2647690.1
  https://support.oracle.com/rs?type=doc&id=2654603.1
  https://support.oracle.com/rs?type=doc&id=2652618.1
  https://support.oracle.com/rs?type=doc&id=2653087.1
  https://support.oracle.com/rs?type=doc&id=2653688.1
  https://support.oracle.com/rs?type=doc&id=2652610.1
  https://support.oracle.com/rs?type=doc&id=2653279.1
  https://support.oracle.com/rs?type=doc&id=2652619.1
  https://support.oracle.com/rs?type=doc&id=2652621.1
  https://support.oracle.com/rs?type=doc&id=2652606.1
  https://support.oracle.com/rs?type=doc&id=2653691.1
  https://support.oracle.com/rs?type=doc&id=2653692.1
  https://support.oracle.com/rs?type=doc&id=2647687.1
  https://support.oracle.com/rs?type=doc&id=2652622.1

Oracle Communications: CPU of July 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2559239.1
  https://support.oracle.com/rs?type=doc&id=2563691.1
  https://support.oracle.com/rs?type=doc&id=2559240.1
  https://support.oracle.com/rs?type=doc&id=2559722.1
  https://support.oracle.com/rs?type=doc&id=2559225.1
  https://support.oracle.com/rs?type=doc&id=2559721.1
  https://support.oracle.com/rs?type=doc&id=2559256.1
  https://support.oracle.com/rs?type=doc&id=2559242.1
  https://support.oracle.com/rs?type=doc&id=2559243.1
  https://support.oracle.com/rs?type=doc&id=2559648.1

Red Hat JBoss EAP: patch Security Update.
A patch is available:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.1

Red Hat JBoss EAP: version 7.1.4.
The version 7.1.4 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=appplatform&downloadType=securityPatches&version=7.1

Red Hat JBoss Fuse/A-MQ: version 6.3 R10.
The version 6.3 R10 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jboss.fuse&downloadType=securityPatches&version=6.3

SAP: solution of February 2019.
The solution is available on the SAP site:
  https://support.sap.com/securitynotes

WebSphere AS: patch for Apache CXF.
A patch is indicated in information sources.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides computers vulnerabilities announces. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.