Description

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

Remediation

References

http://rhn.redhat.com/errata/RHSA-2016-1435.html

http://rhn.redhat.com/errata/RHSA-2016-1439.html

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://www.securityfocus.com/bid/91481

http://www.securitytracker.com/id/1036165

https://access.redhat.com/errata/RHSA-2016:1345

https://access.redhat.com/errata/RHSA-2016:1346

https://access.redhat.com/errata/RHSA-2016:1347

https://access.redhat.com/errata/RHSA-2016:1374

https://access.redhat.com/errata/RHSA-2016:1376

https://access.redhat.com/errata/RHSA-2016:1389

https://access.redhat.com/errata/RHSA-2016:1432

https://access.redhat.com/errata/RHSA-2016:1433

https://access.redhat.com/errata/RHSA-2016:1434

https://issues.jboss.org/browse/JGRP-2021

https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E

https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E

https://rhn.redhat.com/errata/RHSA-2016-1328.html

https://rhn.redhat.com/errata/RHSA-2016-1329.html

https://rhn.redhat.com/errata/RHSA-2016-1330.html

https://rhn.redhat.com/errata/RHSA-2016-1331.html

https://rhn.redhat.com/errata/RHSA-2016-1332.html

https://rhn.redhat.com/errata/RHSA-2016-1333.html

https://rhn.redhat.com/errata/RHSA-2016-1334.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Related Vulnerabilities

CVE-2022-43433 Vulnerability in maven package io.jenkins.plugins:screenrecorder

CVE-2019-0233 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2018-11764 Vulnerability in maven package org.apache.hadoop:hadoop-core

CVE-2023-22899 Vulnerability in maven package net.lingala.zip4j:zip4j

CVE-2021-36373 Vulnerability in maven package org.apache.ant:ant

Severity

Critical

Classification

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory VDB Entry Broken Link Third Party Advisory Issue Tracking Patch NVD-CWE-noinfo