Description

The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections:

Remediation

References

https://access.redhat.com/errata/RHSA-2018:3527

https://access.redhat.com/errata/RHSA-2018:3528

https://access.redhat.com/errata/RHSA-2018:3529

https://access.redhat.com/errata/RHSA-2018:3595

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627

https://issues.jboss.org/browse/WFLY-9107

https://security.netapp.com/advisory/ntap-20181221-0002/

Related Vulnerabilities

CVE-2020-7727 Vulnerability in npm package gedi

CVE-2016-10735 Vulnerability in maven package org.webjars.bower:bootstrap-sass

CVE-2016-10744 Vulnerability in maven package org.webjars.bower:select2

CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http2:http2-hpack

CVE-2020-15256 Vulnerability in maven package org.webjars.npm:object-path

Severity

Medium

Classification

CWE-319 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Issue Tracking Patch