Vulnerability reported in Apache CXF (CVE-2018-8039) 

Issue date: 04-12-2018
Affects versions: 12.6, 12.5, 11.2, 10.2

Issue ID: SECURITY-82

Affected Product Version(s)
This vulnerability may affect project-specific code based on Hippo CMS prior to 12.6.0, 12.5.1, 11.2.10, 10.2.14 and earlier versions. The product in default configuration is not affected for any version.

Severity 
Low

Description

A CXF client using specific configuration options may be subject to man-in-the-middle attacks during TLS-protected HTTPS requests.
See: CVE-2018-8039

This vulnerability is classified with severity low, since the CMS and delivery applications are not directly affected. However, it may apply to project-specific usages of the Apache CXF client library within a Hippo CMS project. 

The Apache CXF version in all supported CMS maintenance versions 12.6.0, 12.5.1, 11.2.10, and 10.2.14 has been updated to version 3.1.16.

Instructions

Every CMS customer is strongly advised to upgrade as soon as possible to the latest CMS maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.