Description
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Remediation
References
https://rhn.redhat.com/errata/RHSA-2016-1334.html
https://rhn.redhat.com/errata/RHSA-2016-1333.html
https://issues.jboss.org/browse/JGRP-2021
http://www.securitytracker.com/id/1036165
https://rhn.redhat.com/errata/RHSA-2016-1331.html
https://rhn.redhat.com/errata/RHSA-2016-1329.html
https://rhn.redhat.com/errata/RHSA-2016-1328.html
https://rhn.redhat.com/errata/RHSA-2016-1332.html
https://rhn.redhat.com/errata/RHSA-2016-1330.html
https://access.redhat.com/errata/RHSA-2016:1346
https://access.redhat.com/errata/RHSA-2016:1374
https://access.redhat.com/errata/RHSA-2016:1389
https://access.redhat.com/errata/RHSA-2016:1347
https://access.redhat.com/errata/RHSA-2016:1345
http://rhn.redhat.com/errata/RHSA-2016-1435.html
https://access.redhat.com/errata/RHSA-2016:1433
https://access.redhat.com/errata/RHSA-2016:1434
http://www.securityfocus.com/bid/91481
http://rhn.redhat.com/errata/RHSA-2016-1439.html
https://access.redhat.com/errata/RHSA-2016:1432
https://access.redhat.com/errata/RHSA-2016:1376
http://rhn.redhat.com/errata/RHSA-2016-2035.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E
Related Vulnerabilities
CVE-2023-40167 Vulnerability in maven package org.eclipse.jetty:jetty-http
CVE-2022-34191 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration
CVE-2023-41329 Vulnerability in maven package com.github.tomakehurst:wiremock-jre8-standalone