[GHSA-jc7r-v6fg-2gpf] Apache CXF TLS hostname verification does not work correctly with com.sun.net.ssl.*

[ebickle]

Updates

• Affected products

Comments
The code for the vulnerability is contained within the cxf-rt-transports-http package.

The commit for the fix is here apache/cxf@fae6fab which shows code changes within the /rt/transports/http directory. That directory contains a pom.xml (https://github.com/apache/cxf/blob/fae6fabf9bd7647f5e9cb68897a7d72b545b741b/rt/transports/http/pom.xml) file with an artifactId of "cxf-rt-transports-http".

https://repo1.maven.org/maven2/org/apache/cxf/cxf/3.2.7/ shows that the "org.apache.cxf:cxf" package does not contain any binary files and https://repo1.maven.org/maven2/org/apache/cxf/cxf/3.2.7/cxf-3.2.7.pom shows pom - it's a Maven POM file only and not binary code.

For that reason, I've left "org.apache.cxf:apache-cxf" as a vulnerable dependency (likely a 'bundle' package) but replaced "org.apache.cxf:cxf" with "org.apache.cxf:cxf-rt-transports-http".

Our application had a "false negative" where the vulnerability wasn't showing up - we directly depended on cxf-rt-transports-http and weren't using the bundled distribution package.

[Copilot]

Pull Request Overview

This PR corrects the Maven coordinates for the vulnerable CXF component and updates the advisory's modified timestamp.

• Updated the modified field to reflect the latest change time.
• Replaced occurrences of org.apache.cxf:cxf with org.apache.cxf:cxf-rt-transports-http.

[advisory-database]

Hi @ebickle! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!