Bug 1955113 (CVE-2021-31917)

Summary: CVE-2021-31917 Infinispan: Authentication bypass on REST endpoints when using DIGEST authentication mechanism
Product: [Other] Security Response Reporter: Jonathan Christison <jochrist>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: chazlett, jwon, pjindal, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Red Hat DataGrid and Infinispan. An attacker could bypass authentication on all REST endpoints when DIGEST is used as the authentication method. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 23:32:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1955115, 1955254, 2002256    

Description Jonathan Christison 2021-04-29 13:28:33 UTC 
A flaw was found in Red Hat DataGrid 8.x (8.0.0, 8.0.1, 8.1.0 and 8.1.1) and Infinispan (10.0.0 through 12.0.0) where an attacker can bypass authentication in a trivial manor on all REST endpoints when `DIGEST` is used as the authentication method (`authentication mechanisms`).
Comment 1 Jonathan Christison 2021-04-29 13:28:37 UTC 
Acknowledgments:

Name: Ryan Emerson (Red Hat)
Comment 5 errata-xmlrpc 2021-05-26 21:50:27 UTC 
This issue has been addressed in the following products:

  Red Hat Data Grid 8.2.0

Via RHSA-2021:2139 https://access.redhat.com/errata/RHSA-2021:2139
Comment 6 Product Security DevOps Team 2021-05-26 23:32:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31917
Comment 7 Product Security DevOps Team 2021-05-27 05:32:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-31917