Bug 1313589 (CVE-2016-2141)
| Summary: | CVE-2016-2141 JGroups: Authorization bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | urgent | Docs Contact: | |
| Priority: | urgent | ||
| Version: | unspecified | CC: | aileenc, alazarot, aszczucz, ataylor, bban, bbaranow, bdawidow, bmaxwell, cdewolf, chazlett, csutherl, dandread, darran.lofthouse, dosoudil, etirelli, felias, fnasser, ganandan, gvarsami, hfnukal, huwang, jason.greene, jawilson, jboss-set, jcoleman, jochrist, jolee, jpallich, jshepherd, jwon, kconner, ldimaggi, lgao, lpetrovi, mbaluch, msochure, mweiler, mwinkler, myarboro, nwallace, paul.ferraro, pavelp, pgier, psakar, pslavice, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, security-response-team, sjacobs, tcunning, theute, tkirby, ttarrant, twalsh, vhalbert, vkumar, vtunka |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://issues.redhat.com/browse/ENTESB-5383 | ||
| Whiteboard: | |||
| Fixed In Version: | jgroups-3.6.10.Final | Doc Type: | Bug Fix |
| Doc Text: |
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-07 23:00:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1285635, 1288422, 1316113, 1316114, 1316115, 1329429, 1329430, 1329432, 1329433, 1329456, 1329457, 1329458, 1329459, 1329460, 1329461, 1329462, 1329463, 1329464, 1329470, 1344753, 1347779, 1347780, 1347781 | ||
| Bug Blocks: | 1283513, 1340536, 1357958, 1366063, 1379523, 1381801 | ||
|
Description
Jason Shepherd
2016-03-02 00:53:24 UTC
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-2072 to Resolved Acknowledgments: Name: Dennis Reed (Red Hat) This issue has been addressed in the following products: JBoss Data Grid 6.6 Via RHSA-2016:1334 https://access.redhat.com/errata/RHSA-2016:1334 This issue has been addressed in the following products: JBoss Enterprise Application Platform 7.0 Via RHSA-2016:1333 https://rhn.redhat.com/errata/RHSA-2016-1333.html This issue has been addressed in the following products: JBEAP 7.0.z for RHEL 7 JBEAP 7.0.z for RHEL 6 Via RHSA-2016:1332 https://access.redhat.com/errata/RHSA-2016:1332 This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4 Via RHSA-2016:1331 https://rhn.redhat.com/errata/RHSA-2016-1331.html This issue has been addressed in the following products: JBoss Enterprise Application Platform 5.2 Via RHSA-2016:1329 https://rhn.redhat.com/errata/RHSA-2016-1329.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 JBEAP 6.4.z for RHEL 5 JBEAP 6.4.z for RHEL 7 Via RHSA-2016:1330 https://access.redhat.com/errata/RHSA-2016:1330 This issue has been addressed in the following products: JBEAP 5 for RHEL 5 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 6 Via RHSA-2016:1328 https://access.redhat.com/errata/RHSA-2016:1328 Mitigation: Please refer to https://access.redhat.com/articles/2360521 for more information. This issue has been addressed in the following products: Red Hat JBoss BPM Suite 6.3 Via RHSA-2016:1347 https://access.redhat.com/errata/RHSA-2016:1347 This issue has been addressed in the following products: Red Hat JBoss Data Virtualization 6.2 Via RHSA-2016:1346 https://access.redhat.com/errata/RHSA-2016:1346 This issue has been addressed in the following products: Red Hat JBoss BRMS 6.3 Via RHSA-2016:1345 https://access.redhat.com/errata/RHSA-2016:1345 This issue has been addressed in the following products: Red Hat JBoss Portal 6.2.0 Via RHSA-2016:1374 https://access.redhat.com/errata/RHSA-2016:1374 This issue has been addressed in the following products: Red Hat JBoss SOA Platform 5.3.1 Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376 This issue has been addressed in the following products: Red Hat JBoss Fuse Service Works 6.0.0 Via RHSA-2016:1389 https://access.redhat.com/errata/RHSA-2016:1389 This issue has been addressed in the following products: JBoss Enterprise BRMS Platform 5.3 Via RHSA-2016:1435 https://access.redhat.com/errata/RHSA-2016:1435 This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434 This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432 This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2016:1439 https://rhn.redhat.com/errata/RHSA-2016-1439.html Jiri Pallich <jpallich> updated the status of jira JBEAP-2072 to Closed This issue has been addressed in the following products: Red Hat JBoss Fuse 6.3 Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html |