CVE-2016-2141

critical

Description

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

References

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

https://rhn.redhat.com/errata/RHSA-2016-1334.html

https://rhn.redhat.com/errata/RHSA-2016-1332.html

https://rhn.redhat.com/errata/RHSA-2016-1330.html

https://rhn.redhat.com/errata/RHSA-2016-1328.html

https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E

https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E

https://issues.jboss.org/browse/JGRP-2021

https://access.redhat.com/errata/RHSA-2016:1434

https://access.redhat.com/errata/RHSA-2016:1433

https://access.redhat.com/errata/RHSA-2016:1432

https://access.redhat.com/errata/RHSA-2016:1389

https://access.redhat.com/errata/RHSA-2016:1376

https://access.redhat.com/errata/RHSA-2016:1374

https://access.redhat.com/errata/RHSA-2016:1347

https://access.redhat.com/errata/RHSA-2016:1346

https://access.redhat.com/errata/RHSA-2016:1345

http://www.securityfocus.com/bid/91481

http://rhn.redhat.com/errata/RHSA-2016-2035.html

http://rhn.redhat.com/errata/RHSA-2016-1439.html

http://rhn.redhat.com/errata/RHSA-2016-1435.html

Details

Source: Mitre, NVD

Published: 2016-06-30

Updated: 2025-04-12

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.01638