Bug 1313589 (CVE-2016-2141) - CVE-2016-2141 JGroups: Authorization bypass
Summary: CVE-2016-2141 JGroups: Authorization bypass
Status: CLOSED ERRATA
Alias: CVE-2016-2141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=critical,public=20160623,repor...
Keywords: Security
Depends On: 1316114 1316115 1285635 1288422 1316113 1329429 1329430 1329432 1329433 1329456 1329457 1329458 1329459 1329460 1329461 1329462 1329463 1329464 1329470 1344753 1347779 1347780 1347781
Blocks: 1283513 1340536 1357958 1366063 1379523 1381801
TreeView+ depends on / blocked
 
Reported: 2016-03-02 00:53 UTC by Jason Shepherd
Modified: 2019-06-08 21:02 UTC (History)
56 users (show)

(edit)
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Clone Of:
(edit)
Last Closed: 2016-07-07 23:00:19 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-2072 Blocker Closed CVE-2016-2141 Add authorization checks by default on JGroups message receipt (EMBARGOED) 2019-06-14 09:07 UTC
Red Hat Bugzilla 1285635 None None None 2019-06-14 09:07 UTC
JBoss Issue Tracker JGRP-2021 Major Resolved ENCRYPT: prevent messages from non-members 2019-06-14 09:07 UTC
Red Hat Product Errata RHSA-2016:1328 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update 2016-06-24 01:07:16 UTC
Red Hat Product Errata RHSA-2016:1329 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update 2016-06-24 00:50:11 UTC
Red Hat Product Errata RHSA-2016:1330 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update 2016-06-24 01:07:02 UTC
Red Hat Product Errata RHSA-2016:1331 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update 2016-06-24 00:50:04 UTC
Red Hat Product Errata RHSA-2016:1332 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 7.0 security update 2016-06-24 00:49:52 UTC
Red Hat Product Errata RHSA-2016:1333 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 7.0 security update 2016-06-24 00:49:46 UTC
Red Hat Product Errata RHSA-2016:1334 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Grid 6.6 security update 2016-06-24 00:49:39 UTC
Red Hat Product Errata RHSA-2016:1345 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS security update 2016-06-28 01:05:02 UTC
Red Hat Product Errata RHSA-2016:1346 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Virtualization security and bug fix update 2016-06-28 01:04:56 UTC
Red Hat Product Errata RHSA-2016:1347 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite security update 2016-06-28 01:04:49 UTC
Red Hat Product Errata RHSA-2016:1374 normal SHIPPED_LIVE Critical: Red Hat JBoss Portal 6.2.0 security update 2016-06-29 20:48:59 UTC
Red Hat Product Errata RHSA-2016:1376 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform security update 2016-07-01 01:06:13 UTC
Red Hat Product Errata RHSA-2016:1389 normal SHIPPED_LIVE Critical: Red Hat JBoss Fuse Service Works security update 2016-07-07 21:46:41 UTC
Red Hat Product Errata RHSA-2016:1432 normal SHIPPED_LIVE Critical: jboss-ec2-eap security, bug fix, and enhancement update 2016-07-18 23:41:10 UTC
Red Hat Product Errata RHSA-2016:1433 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update 2016-07-18 23:44:33 UTC
Red Hat Product Errata RHSA-2016:1434 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform update 2016-07-18 23:39:47 UTC
Red Hat Product Errata RHSA-2016:1435 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update 2016-07-19 01:21:04 UTC
Red Hat Product Errata RHSA-2016:1439 normal SHIPPED_LIVE Critical: Red Hat Single Sign-On security update 2016-07-20 06:37:36 UTC
Red Hat Product Errata RHSA-2016:2035 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 20:18:07 UTC

Internal Trackers: 1285635

Description Jason Shepherd 2016-03-02 00:53:24 UTC
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

Comment 13 JBoss JIRA Server 2016-05-23 08:41:51 UTC
Carlo de Wolf <cdewolf@redhat.com> updated the status of jira JBEAP-2072 to Resolved

Comment 19 Chess Hazlett 2016-06-21 20:35:28 UTC
Acknowledgments:

Name: Dennis Reed (Red Hat)

Comment 21 errata-xmlrpc 2016-06-23 20:50:21 UTC
This issue has been addressed in the following products:

  JBoss Data Grid 6.6

Via RHSA-2016:1334 https://access.redhat.com/errata/RHSA-2016:1334

Comment 22 errata-xmlrpc 2016-06-23 20:50:51 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 7.0

Via RHSA-2016:1333 https://rhn.redhat.com/errata/RHSA-2016-1333.html

Comment 23 errata-xmlrpc 2016-06-23 20:51:08 UTC
This issue has been addressed in the following products:

  JBEAP 7.0.z for RHEL 7
  JBEAP 7.0.z for RHEL 6

Via RHSA-2016:1332 https://access.redhat.com/errata/RHSA-2016:1332

Comment 24 errata-xmlrpc 2016-06-23 20:51:23 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4

Via RHSA-2016:1331 https://rhn.redhat.com/errata/RHSA-2016-1331.html

Comment 25 errata-xmlrpc 2016-06-23 20:52:23 UTC
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2

Via RHSA-2016:1329 https://rhn.redhat.com/errata/RHSA-2016-1329.html

Comment 26 errata-xmlrpc 2016-06-23 21:07:34 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6
  JBEAP 6.4.z for RHEL 5
  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1330 https://access.redhat.com/errata/RHSA-2016:1330

Comment 27 errata-xmlrpc 2016-06-23 21:07:59 UTC
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2016:1328 https://access.redhat.com/errata/RHSA-2016:1328

Comment 28 Timothy Walsh 2016-06-24 04:17:03 UTC
Mitigation:

Please refer to https://access.redhat.com/articles/2360521 for more information.

Comment 29 errata-xmlrpc 2016-06-27 21:05:09 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3

Via RHSA-2016:1347 https://access.redhat.com/errata/RHSA-2016:1347

Comment 30 errata-xmlrpc 2016-06-27 21:05:44 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.2

Via RHSA-2016:1346 https://access.redhat.com/errata/RHSA-2016:1346

Comment 31 errata-xmlrpc 2016-06-27 21:06:23 UTC
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3

Via RHSA-2016:1345 https://access.redhat.com/errata/RHSA-2016:1345

Comment 32 errata-xmlrpc 2016-06-29 16:49:07 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Portal 6.2.0

Via RHSA-2016:1374 https://access.redhat.com/errata/RHSA-2016:1374

Comment 33 errata-xmlrpc 2016-06-30 21:08:47 UTC
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376

Comment 34 errata-xmlrpc 2016-07-07 17:46:52 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2016:1389 https://access.redhat.com/errata/RHSA-2016:1389

Comment 35 errata-xmlrpc 2016-07-18 19:08:08 UTC
This issue has been addressed in the following products:

  JBoss Enterprise BRMS Platform 5.3

Via RHSA-2016:1435 https://access.redhat.com/errata/RHSA-2016:1435

Comment 36 errata-xmlrpc 2016-07-18 19:41:58 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434

Comment 37 errata-xmlrpc 2016-07-18 19:42:38 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432

Comment 38 errata-xmlrpc 2016-07-18 19:45:49 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433

Comment 39 errata-xmlrpc 2016-07-19 20:39:54 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2016:1439 https://rhn.redhat.com/errata/RHSA-2016-1439.html

Comment 40 JBoss JIRA Server 2016-08-23 11:38:49 UTC
Jiri Pallich <jpallich@redhat.com> updated the status of jira JBEAP-2072 to Closed

Comment 42 errata-xmlrpc 2016-10-06 16:20:18 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html


Note You need to log in before you can comment on or make changes to this bug.