A flaw was found in JGroup's DiagnosticsHandler that allowed an attacker on an adjacent network to reuse the credentials from a previous successful authentication. This could be exploited to read diagnostic information (information disclosure) and attain limited remote code execution. This issue affects JGroups versions 3.0.x (3.0.11.Final and later), 3.1.x (3.1.0.Final and later), 3.2.x (prior to 3.2.10.Final) and 3.3.x (prior to 3.3.3.Final).
This issue was fixed in upstream versions 3.3.3.Final and 3.2.10.Final.
Will 3.2.10 be certified for EAP ? (To be consumed in JPP 6.1)
This issue has been addressed in following products: Red Hat JBoss Enterprise Application Platform 6.1.1 Via RHSA-2013:1209 https://rhn.redhat.com/errata/RHSA-2013-1209.html
This issue has been addressed in following products: JBEAP 6 for RHEL 6 Via RHSA-2013:1208 https://rhn.redhat.com/errata/RHSA-2013-1208.html
This issue has been addressed in following products: JBEAP 6 for RHEL 5 Via RHSA-2013:1207 https://rhn.redhat.com/errata/RHSA-2013-1207.html
This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html
This issue has been addressed in following products: Red Hat JBoss Web Framework Kit 2.4.0 Via RHSA-2013:1771 https://rhn.redhat.com/errata/RHSA-2013-1771.html
This issue has been addressed in following products: Red Hat JBoss Data Grid 6.2.0 Via RHSA-2014:0029 https://rhn.redhat.com/errata/RHSA-2014-0029.html