CVE-2016-2141

critical

Description

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.

References

https://rhn.redhat.com/errata/RHSA-2016-1334.html

https://rhn.redhat.com/errata/RHSA-2016-1333.html

https://issues.jboss.org/browse/JGRP-2021

http://www.securitytracker.com/id/1036165

https://rhn.redhat.com/errata/RHSA-2016-1331.html

https://rhn.redhat.com/errata/RHSA-2016-1329.html

https://rhn.redhat.com/errata/RHSA-2016-1328.html

https://rhn.redhat.com/errata/RHSA-2016-1332.html

https://rhn.redhat.com/errata/RHSA-2016-1330.html

https://access.redhat.com/errata/RHSA-2016:1346

https://access.redhat.com/errata/RHSA-2016:1374

https://access.redhat.com/errata/RHSA-2016:1389

https://access.redhat.com/errata/RHSA-2016:1347

https://access.redhat.com/errata/RHSA-2016:1345

http://rhn.redhat.com/errata/RHSA-2016-1435.html

https://access.redhat.com/errata/RHSA-2016:1433

https://access.redhat.com/errata/RHSA-2016:1434

http://www.securityfocus.com/bid/91481

http://rhn.redhat.com/errata/RHSA-2016-1439.html

https://access.redhat.com/errata/RHSA-2016:1432

https://access.redhat.com/errata/RHSA-2016:1376

http://rhn.redhat.com/errata/RHSA-2016-2035.html

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://lists.apache.org/thread.html/[email protected]%3Cdev.geode.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.geode.apache.org%3E

Details

Source: MITRE

Published: 2016-06-30

Updated: 2022-02-25

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL