Description

The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections:

Remediation

References

https://access.redhat.com/errata/RHSA-2018:3527

https://access.redhat.com/errata/RHSA-2018:3528

https://access.redhat.com/errata/RHSA-2018:3529

https://access.redhat.com/errata/RHSA-2018:3595

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627

https://issues.jboss.org/browse/WFLY-9107

https://security.netapp.com/advisory/ntap-20181221-0002/

Related Vulnerabilities

CVE-2018-11761 Vulnerability in maven package org.apache.tika:tika-core

CVE-2017-5646 Vulnerability in maven package org.apache.knox:gateway

CVE-2020-15232 Vulnerability in maven package org.mapfish.print:print-lib

CVE-2022-25647 Vulnerability in maven package com.google.code.gson:gson

CVE-2019-1003028 Vulnerability in maven package org.jenkins-ci.plugins:jms-messaging

Severity

Medium

Classification

CWE-319 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Issue Tracking Patch