Description

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-1435.html

http://rhn.redhat.com/errata/RHSA-2016-1439.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://www.securityfocus.com/bid/91481

http://www.securitytracker.com/id/1036165

https://access.redhat.com/errata/RHSA-2016:1345

https://access.redhat.com/errata/RHSA-2016:1346

https://access.redhat.com/errata/RHSA-2016:1347

https://access.redhat.com/errata/RHSA-2016:1374

https://access.redhat.com/errata/RHSA-2016:1376

https://access.redhat.com/errata/RHSA-2016:1389

https://access.redhat.com/errata/RHSA-2016:1432

https://access.redhat.com/errata/RHSA-2016:1433

https://access.redhat.com/errata/RHSA-2016:1434

https://issues.jboss.org/browse/JGRP-2021

https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E

https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E

https://rhn.redhat.com/errata/RHSA-2016-1328.html

https://rhn.redhat.com/errata/RHSA-2016-1329.html

https://rhn.redhat.com/errata/RHSA-2016-1330.html

https://rhn.redhat.com/errata/RHSA-2016-1331.html

https://rhn.redhat.com/errata/RHSA-2016-1332.html

https://rhn.redhat.com/errata/RHSA-2016-1333.html

https://rhn.redhat.com/errata/RHSA-2016-1334.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Related Vulnerabilities

CVE-2022-24898 Vulnerability in maven package org.xwiki.commons:xwiki-commons-xml

CVE-2021-27515 Vulnerability in maven package org.webjars.bowergithub.unshiftio:url-parse

CVE-2021-40660 Vulnerability in maven package org.javadelight:delight-nashorn-sandbox

CVE-2021-1626 Vulnerability in maven package org.mule.runtime:mule-core

CVE-2022-45383 Vulnerability in maven package org.jenkins-ci.plugins:support-core

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory VDB Entry Broken Link Third Party Advisory Issue Tracking Patch NVD-CWE-noinfo