Description

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-1435.html

http://rhn.redhat.com/errata/RHSA-2016-1439.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://www.securityfocus.com/bid/91481

http://www.securitytracker.com/id/1036165

https://access.redhat.com/errata/RHSA-2016:1345

https://access.redhat.com/errata/RHSA-2016:1346

https://access.redhat.com/errata/RHSA-2016:1347

https://access.redhat.com/errata/RHSA-2016:1374

https://access.redhat.com/errata/RHSA-2016:1376

https://access.redhat.com/errata/RHSA-2016:1389

https://access.redhat.com/errata/RHSA-2016:1432

https://access.redhat.com/errata/RHSA-2016:1433

https://access.redhat.com/errata/RHSA-2016:1434

https://issues.jboss.org/browse/JGRP-2021

https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E

https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E

https://rhn.redhat.com/errata/RHSA-2016-1328.html

https://rhn.redhat.com/errata/RHSA-2016-1329.html

https://rhn.redhat.com/errata/RHSA-2016-1330.html

https://rhn.redhat.com/errata/RHSA-2016-1331.html

https://rhn.redhat.com/errata/RHSA-2016-1332.html

https://rhn.redhat.com/errata/RHSA-2016-1333.html

https://rhn.redhat.com/errata/RHSA-2016-1334.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Related Vulnerabilities

CVE-2023-24434 Vulnerability in maven package org.jenkins-ci.plugins:ghprb

CVE-2011-3375 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2023-40336 Vulnerability in maven package org.jenkins-ci.plugins:cloudbees-folder

CVE-2016-0779 Vulnerability in maven package org.apache.tomee:arquillian-tomee-common

CVE-2018-7408 Vulnerability in maven package org.webjars.npm:npm

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory VDB Entry Broken Link Third Party Advisory Issue Tracking Patch NVD-CWE-noinfo