Apache CXF has the ability to integrate with JMX by registering an InstrumentationManager extension with the CXF bus. If the ‘createMBServerConnectorFactory‘ property of the default InstrumentationManagerImpl is not disabled, then it is vulnerable to a man-in-the-middle (MITM) style attack. An attacker on the same host can connect to the registry and rebind the entry to another server, thus acting as a proxy to the original. They are then able to gain access to all of the information that is sent and received over JMX.
AI analysis not yet available
Plain-English explanation, risk summary, and remediation steps will appear here once AI analysis is complete.
No Fix Known
No patch has been released yet. Apply workarounds or mitigations where available.
Published
CVE disclosed publicly
Last Modified
Most recent update
Indexed to CVEInsight
Added to this platform
AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
15
Affected Products
12
References
apache / cxf
| - |
| oracle | communications_element_manager | 8.2.0 - 8.2.2 | - |
| oracle | communications_session_report_manager | 8.2.0 - 8.2.2 | - |
| oracle | enterprise_manager_base_platform | - | - |
| oracle | peoplesoft_enterprise_peopletools | - | - |
| netapp | oncommand_workflow_automation | - | - |
| netapp | snapmanager | - | - |
| oracle | communications_diameter_signaling_router_idih\ | 8.0.0 - 8.2.2 | - |
| oracle | communications_element_manager | 8.2.0 - 8.2.2 | - |
| oracle | communications_session_report_manager | 8.2.0 - 8.2.2 | - |
| oracle | communications_session_route_manager | 8.2.0 - 8.2.2 | - |
| oracle | enterprise_manager_base_platform | - | - |
| oracle | peoplesoft_enterprise_peopletools | - | - |
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Exploitability
Impact