Bug 1313589 (CVE-2016-2141) - CVE-2016-2141 JGroups: Authorization bypass
Summary: CVE-2016-2141 JGroups: Authorization bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1316114 1316115 1285635 1288422 1316113 1329429 1329430 1329432 1329433 1329456 1329457 1329458 1329459 1329460 1329461 1329462 1329463 1329464 1329470 1344753 1347779 1347780 1347781
Blocks: 1283513 1340536 1357958 1366063 1379523 1381801
TreeView+ depends on / blocked
 
Reported: 2016-03-02 00:53 UTC by Jason Shepherd
Modified: 2021-02-17 04:15 UTC (History)
60 users (show)

See Also:
Fixed In Version: jgroups-3.6.10.Final
Doc Type: Bug Fix
Doc Text:
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Clone Of:
Environment:
Last Closed: 2016-07-07 23:00:19 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1285635 1 None None None 2021-01-20 06:05:38 UTC
Red Hat Issue Tracker JBEAP-2072 0 Blocker Closed CVE-2016-2141 Add authorization checks by default on JGroups message receipt (EMBARGOED) 2020-06-22 10:36:33 UTC
Red Hat Issue Tracker JGRP-2021 0 Major Resolved ENCRYPT: prevent messages from non-members 2020-12-15 21:56:27 UTC
Red Hat Product Errata RHSA-2016:1328 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update 2016-06-24 01:07:16 UTC
Red Hat Product Errata RHSA-2016:1329 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 5.2 security update 2016-06-24 00:50:11 UTC
Red Hat Product Errata RHSA-2016:1330 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update 2016-06-24 01:07:02 UTC
Red Hat Product Errata RHSA-2016:1331 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4 security update 2016-06-24 00:50:04 UTC
Red Hat Product Errata RHSA-2016:1332 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 7.0 security update 2016-06-24 00:49:52 UTC
Red Hat Product Errata RHSA-2016:1333 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 7.0 security update 2016-06-24 00:49:46 UTC
Red Hat Product Errata RHSA-2016:1334 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Grid 6.6 security update 2016-06-24 00:49:39 UTC
Red Hat Product Errata RHSA-2016:1345 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BRMS security update 2016-06-28 01:05:02 UTC
Red Hat Product Errata RHSA-2016:1346 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Data Virtualization security and bug fix update 2016-06-28 01:04:56 UTC
Red Hat Product Errata RHSA-2016:1347 0 normal SHIPPED_LIVE Critical: Red Hat JBoss BPM Suite security update 2016-06-28 01:04:49 UTC
Red Hat Product Errata RHSA-2016:1374 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Portal 6.2.0 security update 2016-06-29 20:48:59 UTC
Red Hat Product Errata RHSA-2016:1376 0 normal SHIPPED_LIVE Critical: Red Hat JBoss SOA Platform security update 2016-07-01 01:06:13 UTC
Red Hat Product Errata RHSA-2016:1389 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Fuse Service Works security update 2016-07-07 21:46:41 UTC
Red Hat Product Errata RHSA-2016:1432 0 normal SHIPPED_LIVE Critical: jboss-ec2-eap security, bug fix, and enhancement update 2016-07-18 23:41:10 UTC
Red Hat Product Errata RHSA-2016:1433 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update 2016-07-18 23:44:33 UTC
Red Hat Product Errata RHSA-2016:1434 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform update 2016-07-18 23:39:47 UTC
Red Hat Product Errata RHSA-2016:1435 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update 2016-07-19 01:21:04 UTC
Red Hat Product Errata RHSA-2016:1439 0 normal SHIPPED_LIVE Critical: Red Hat Single Sign-On security update 2016-07-20 06:37:36 UTC
Red Hat Product Errata RHSA-2016:2035 0 normal SHIPPED_LIVE Important: Red Hat JBoss Fuse 6.3 security update 2016-10-06 20:18:07 UTC

Internal Links: 1285635

Description Jason Shepherd 2016-03-02 00:53:24 UTC 
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Comment 13 JBoss JIRA Server 2016-05-23 08:41:51 UTC 
Carlo de Wolf <cdewolf> updated the status of jira JBEAP-2072 to Resolved
Comment 19 Chess Hazlett 2016-06-21 20:35:28 UTC 
Acknowledgments:

Name: Dennis Reed (Red Hat)
Comment 21 errata-xmlrpc 2016-06-23 20:50:21 UTC 
This issue has been addressed in the following products:

  JBoss Data Grid 6.6

Via RHSA-2016:1334 https://access.redhat.com/errata/RHSA-2016:1334
Comment 22 errata-xmlrpc 2016-06-23 20:50:51 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 7.0

Via RHSA-2016:1333 https://rhn.redhat.com/errata/RHSA-2016-1333.html
Comment 23 errata-xmlrpc 2016-06-23 20:51:08 UTC 
This issue has been addressed in the following products:

  JBEAP 7.0.z for RHEL 7
  JBEAP 7.0.z for RHEL 6

Via RHSA-2016:1332 https://access.redhat.com/errata/RHSA-2016:1332
Comment 24 errata-xmlrpc 2016-06-23 20:51:23 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 6.4

Via RHSA-2016:1331 https://rhn.redhat.com/errata/RHSA-2016-1331.html
Comment 25 errata-xmlrpc 2016-06-23 20:52:23 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise Application Platform 5.2

Via RHSA-2016:1329 https://rhn.redhat.com/errata/RHSA-2016-1329.html
Comment 26 errata-xmlrpc 2016-06-23 21:07:34 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6
  JBEAP 6.4.z for RHEL 5
  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1330 https://access.redhat.com/errata/RHSA-2016:1330
Comment 27 errata-xmlrpc 2016-06-23 21:07:59 UTC 
This issue has been addressed in the following products:

  JBEAP 5 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 6

Via RHSA-2016:1328 https://access.redhat.com/errata/RHSA-2016:1328
Comment 28 Timothy Walsh 2016-06-24 04:17:03 UTC 
Mitigation:

Please refer to https://access.redhat.com/articles/2360521 for more information.
Comment 29 errata-xmlrpc 2016-06-27 21:05:09 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BPM Suite 6.3

Via RHSA-2016:1347 https://access.redhat.com/errata/RHSA-2016:1347
Comment 30 errata-xmlrpc 2016-06-27 21:05:44 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Data Virtualization 6.2

Via RHSA-2016:1346 https://access.redhat.com/errata/RHSA-2016:1346
Comment 31 errata-xmlrpc 2016-06-27 21:06:23 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss BRMS 6.3

Via RHSA-2016:1345 https://access.redhat.com/errata/RHSA-2016:1345
Comment 32 errata-xmlrpc 2016-06-29 16:49:07 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Portal 6.2.0

Via RHSA-2016:1374 https://access.redhat.com/errata/RHSA-2016:1374
Comment 33 errata-xmlrpc 2016-06-30 21:08:47 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss SOA Platform 5.3.1

Via RHSA-2016:1376 https://access.redhat.com/errata/RHSA-2016:1376
Comment 34 errata-xmlrpc 2016-07-07 17:46:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse Service Works 6.0.0

Via RHSA-2016:1389 https://access.redhat.com/errata/RHSA-2016:1389
Comment 35 errata-xmlrpc 2016-07-18 19:08:08 UTC 
This issue has been addressed in the following products:

  JBoss Enterprise BRMS Platform 5.3

Via RHSA-2016:1435 https://access.redhat.com/errata/RHSA-2016:1435
Comment 36 errata-xmlrpc 2016-07-18 19:41:58 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434
Comment 37 errata-xmlrpc 2016-07-18 19:42:38 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432
Comment 38 errata-xmlrpc 2016-07-18 19:45:49 UTC 
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433
Comment 39 errata-xmlrpc 2016-07-19 20:39:54 UTC 
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2016:1439 https://rhn.redhat.com/errata/RHSA-2016-1439.html
Comment 40 JBoss JIRA Server 2016-08-23 11:38:49 UTC 
Jiri Pallich <jpallich> updated the status of jira JBEAP-2072 to Closed
Comment 42 errata-xmlrpc 2016-10-06 16:20:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Fuse 6.3

Via RHSA-2016:2035 https://rhn.redhat.com/errata/RHSA-2016-2035.html
Note You need to log in before you can comment on or make changes to this bug.