First published: Wed Apr 15 2020(Updated: )
Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory’ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX. Reference: <a href="http://cxf.apache.org/security-advisories.data/CVE-2020-1954.txt.asc?version=1&modificationDate=1585730169000&api=v2">http://cxf.apache.org/security-advisories.data/CVE-2020-1954.txt.asc?version=1&modificationDate=1585730169000&api=v2</a>
Affected Software | Affected Version | How to fix |
---|---|---|
Apache CXF |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of REDHAT-BUG-1824301 is considered high due to its potential for man-in-the-middle attacks.
To fix REDHAT-BUG-1824301, ensure the 'createMBServerConnectorFactory' property of the default InstrumentationManagerImpl is disabled.
REDHAT-BUG-1824301 affects Apache CXF.
REDHAT-BUG-1824301 enables a man-in-the-middle (MITM) style attack.
A workaround for REDHAT-BUG-1824301 involves disabling the vulnerable property to mitigate risks.