Bug 1313589 - (CVE-2016-2141) CVE-2016-2141 Authorization bypass in JGroups
CVE-2016-2141 Authorization bypass in JGroups
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
urgent Severity urgent
: ---
: ---
Assigned To: Red Hat Product Security
impact=critical,public=20160623,repor...
: Security
Depends On: 1316114 1316115 1285635 1288422 1316113 1329429 1329430 1329432 1329433 1329456 1329457 1329458 1329459 1329460 1329461 1329462 1329463 1329464 1329470 1344753 1347779 1347780 1347781
Blocks: 1283513 1340536 1357958 1366063 1379523 1381801
  Show dependency treegraph
 
Reported: 2016-03-01 19:53 EST by Jason Shepherd
Modified: 2017-12-11 12:22 EST (History)
56 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-07 19:00:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-2072 Blocker Closed CVE-2016-2141 Add authorization checks by default on JGroups message receipt (EMBARGOED) 2018-01-14 22:42 EST
JBoss Issue Tracker JGRP-2021 Major Resolved ENCRYPT: prevent messages from non-members 2018-01-14 22:42 EST

  None (edit)
Description Jason Shepherd 2016-03-01 19:53:24 EST
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Comment 13 JBoss JIRA Server 2016-05-23 04:41:51 EDT
Carlo de Wolf <cdewolf@redhat.com> updated the status of jira JBEAP-2072 to Resolved
Comment 19 Chess Hazlett 2016-06-21 16:35:28 EDT
Acknowledgments:

Name: Dennis Reed (Red Hat)
Comment 21 errata-xmlrpc 2016-06-23 16:50:21 EDT
This issue has been addressed in the following products:

  JBoss Data Grid 6.6

Via RHSA-2016:1334 https://access.redhat.com/errata/RHSA-2016:1334
Comment 22 errata-xmlrpc 2016-06-23 16:50:51 EDT
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 7.0

Via RHSA-2016:1333 https://rhn.redhat.com/errata/RHSA-2016-1333.html
Comment 23 errata-xmlrpc 2016-06-23 16:51:08 EDT
This issue has been addressed in the following products:

  JBEAP 7.0.z for RHEL 7
  JBEAP 7.0.z for RHEL 6

Via RHSA-2016:1332 https://access.redhat.com/errata/RHSA-2016:1332
Comment 24 errata-xmlrpc 2016-06-23 16:51:23 EDT
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4

Via RHSA-2016:1331 https://rhn.redhat.com/errata/RHSA-2016-1331.html
Comment 25 errata-xmlrpc 2016-06-23 16:52:23 EDT
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2

Via RHSA-2016:1329 https://rhn.redhat.com/errata/RHSA-2016-1329.html
Comment 26 errata-xmlrpc 2016-06-23 17:07:34 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6
  JBEAP 6.4.z for RHEL 5
  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1330 https://access.redhat.com/errata/RHSA-2016:1330
Comment 27 errata-xmlrpc 2016-06-23 17:07:59 EDT
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2016:1328 https://access.redhat.com/errata/RHSA-2016:1328
Comment 28 Timothy Walsh 2016-06-24 00:17:03 EDT
Mitigation:

Please refer to https://access.redhat.com/articles/2360521 for more information.
Comment 29 errata-xmlrpc 2016-06-27 17:05:09 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3

Via RHSA-2016:1347 https://access.redhat.com/errata/RHSA-2016:1347
Comment 30 errata-xmlrpc 2016-06-27 17:05:44 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.2

Via RHSA-2016:1346 https://access.redhat.com/errata/RHSA-2016:1346
Comment 31 errata-xmlrpc 2016-06-27 17:06:23 EDT
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3

Via RHSA-2016:1345 https://access.redhat.com/errata/RHSA-2016:1345
Comment 32 errata-xmlrpc 2016-06-29 12:49:07 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Portal 6.2.0

Via RHSA-2016:1374 https://access.redhat.com/errata/RHSA-2016:1374
Comment 33 errata-xmlrpc 2016-06-30 17:08:47 EDT
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376
Comment 34 errata-xmlrpc 2016-07-07 13:46:52 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2016:1389 https://access.redhat.com/errata/RHSA-2016:1389
Comment 35 errata-xmlrpc 2016-07-18 15:08:08 EDT
This issue has been addressed in the following products:

  JBoss Enterprise BRMS Platform 5.3

Via RHSA-2016:1435 https://access.redhat.com/errata/RHSA-2016:1435
Comment 36 errata-xmlrpc 2016-07-18 15:41:58 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434
Comment 37 errata-xmlrpc 2016-07-18 15:42:38 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432
Comment 38 errata-xmlrpc 2016-07-18 15:45:49 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433
Comment 39 errata-xmlrpc 2016-07-19 16:39:54 EDT
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2016:1439 https://rhn.redhat.com/errata/RHSA-2016-1439.html
Comment 40 JBoss JIRA Server 2016-08-23 07:38:49 EDT
Jiri Pallich <jpallich@redhat.com> updated the status of jira JBEAP-2072 to Closed
Comment 42 errata-xmlrpc 2016-10-06 12:20:18 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html

Note You need to log in before you can comment on or make changes to this bug.