Description

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-1435.html

http://rhn.redhat.com/errata/RHSA-2016-1439.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://www.securityfocus.com/bid/91481

http://www.securitytracker.com/id/1036165

https://access.redhat.com/errata/RHSA-2016:1345

https://access.redhat.com/errata/RHSA-2016:1346

https://access.redhat.com/errata/RHSA-2016:1347

https://access.redhat.com/errata/RHSA-2016:1374

https://access.redhat.com/errata/RHSA-2016:1376

https://access.redhat.com/errata/RHSA-2016:1389

https://access.redhat.com/errata/RHSA-2016:1432

https://access.redhat.com/errata/RHSA-2016:1433

https://access.redhat.com/errata/RHSA-2016:1434

https://issues.jboss.org/browse/JGRP-2021

https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E

https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E

https://rhn.redhat.com/errata/RHSA-2016-1328.html

https://rhn.redhat.com/errata/RHSA-2016-1329.html

https://rhn.redhat.com/errata/RHSA-2016-1330.html

https://rhn.redhat.com/errata/RHSA-2016-1331.html

https://rhn.redhat.com/errata/RHSA-2016-1332.html

https://rhn.redhat.com/errata/RHSA-2016-1333.html

https://rhn.redhat.com/errata/RHSA-2016-1334.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Related Vulnerabilities

CVE-2022-1330 Vulnerability in maven package org.webjars.bower:fullpage.js

CVE-2023-29003 Vulnerability in npm package @sveltejs/kit

CVE-2023-26135 Vulnerability in npm package flatnest

CVE-2016-3084 Vulnerability in maven package org.cloudfoundry.identity:cloudfoundry-identity-server

CVE-2022-31147 Vulnerability in npm package jquery-validation

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory VDB Entry Broken Link Third Party Advisory Issue Tracking Patch NVD-CWE-noinfo