Description
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Remediation
References
https://rhn.redhat.com/errata/RHSA-2016-1334.html
https://rhn.redhat.com/errata/RHSA-2016-1333.html
https://issues.jboss.org/browse/JGRP-2021
http://www.securitytracker.com/id/1036165
https://rhn.redhat.com/errata/RHSA-2016-1331.html
https://rhn.redhat.com/errata/RHSA-2016-1329.html
https://rhn.redhat.com/errata/RHSA-2016-1328.html
https://rhn.redhat.com/errata/RHSA-2016-1332.html
https://rhn.redhat.com/errata/RHSA-2016-1330.html
https://access.redhat.com/errata/RHSA-2016:1346
https://access.redhat.com/errata/RHSA-2016:1374
https://access.redhat.com/errata/RHSA-2016:1389
https://access.redhat.com/errata/RHSA-2016:1347
https://access.redhat.com/errata/RHSA-2016:1345
http://rhn.redhat.com/errata/RHSA-2016-1435.html
https://access.redhat.com/errata/RHSA-2016:1433
https://access.redhat.com/errata/RHSA-2016:1434
http://www.securityfocus.com/bid/91481
http://rhn.redhat.com/errata/RHSA-2016-1439.html
https://access.redhat.com/errata/RHSA-2016:1432
https://access.redhat.com/errata/RHSA-2016:1376
http://rhn.redhat.com/errata/RHSA-2016-2035.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E
Related Vulnerabilities
CVE-2022-40955 Vulnerability in maven package org.apache.inlong:manager-pojo
CVE-2020-13940 Vulnerability in maven package org.apache.nifi:nifi-bootstrap
CVE-2022-46907 Vulnerability in maven package org.apache.jspwiki:jspwiki-war
CVE-2012-3373 Vulnerability in maven package org.apache.wicket:wicket
CVE-2020-2266 Vulnerability in maven package org.jenkins-ci.plugins:description-column-plugin