Description
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Remediation
References
http://rhn.redhat.com/errata/RHSA-2016-1435.html
http://rhn.redhat.com/errata/RHSA-2016-1439.html
http://rhn.redhat.com/errata/RHSA-2016-2035.html
http://www.securityfocus.com/bid/91481
http://www.securitytracker.com/id/1036165
https://access.redhat.com/errata/RHSA-2016:1345
https://access.redhat.com/errata/RHSA-2016:1346
https://access.redhat.com/errata/RHSA-2016:1347
https://access.redhat.com/errata/RHSA-2016:1374
https://access.redhat.com/errata/RHSA-2016:1376
https://access.redhat.com/errata/RHSA-2016:1389
https://access.redhat.com/errata/RHSA-2016:1432
https://access.redhat.com/errata/RHSA-2016:1433
https://access.redhat.com/errata/RHSA-2016:1434
https://issues.jboss.org/browse/JGRP-2021
https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E
https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E
https://rhn.redhat.com/errata/RHSA-2016-1328.html
https://rhn.redhat.com/errata/RHSA-2016-1329.html
https://rhn.redhat.com/errata/RHSA-2016-1330.html
https://rhn.redhat.com/errata/RHSA-2016-1331.html
https://rhn.redhat.com/errata/RHSA-2016-1332.html
https://rhn.redhat.com/errata/RHSA-2016-1333.html
https://rhn.redhat.com/errata/RHSA-2016-1334.html
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Related Vulnerabilities
CVE-2022-24898 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml
CVE-2021-27515 Vulnerability in maven package org.webjars.bowergithub.unshiftio:url-parse
CVE-2021-40660 Vulnerability in maven package org.javadelight:delight-nashorn-sandbox
CVE-2021-1626 Vulnerability in maven package org.mule.runtime:mule-core
CVE-2022-45383 Vulnerability in maven package org.jenkins-ci.plugins:support-core