Vulnerability Details : CVE-2016-2141
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Vulnerability category: Information leak
Products affected by CVE-2016-2141
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jgroups:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2016-2141
0.93%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 83 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2016-2141
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2016-2141
-
https://access.redhat.com/errata/RHSA-2016:1347
RHSA-2016:1347 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1329.html
Red Hat Customer PortalBroken Link;Vendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1334.html
RHSA-2016:1334 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1434
RHSA-2016:1434 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1374
RHSA-2016:1374 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1328.html
RHSA-2016:1328 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1332.html
RHSA-2016:1332 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-2035.html
RHSA-2016:2035 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://rhn.redhat.com/errata/RHSA-2016-1435.html
RHSA-2016:1435 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
http://www.securitytracker.com/id/1036165
JBoss Authentication Flaw in JGroups Lets Remote Users Bypass Security Restrictions on the Target System - SecurityTrackerBroken Link;Third Party Advisory;VDB Entry
-
http://rhn.redhat.com/errata/RHSA-2016-1439.html
RHSA-2016:1439 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1433
RHSA-2016:1433 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1333.html
Red Hat Customer PortalBroken Link;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1389
RHSA-2016:1389 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019Patch;Third Party Advisory
-
http://www.securityfocus.com/bid/91481
JGroups CVE-2016-2141 Authorization Bypass VulnerabilityVDB Entry
-
https://access.redhat.com/errata/RHSA-2016:1346
RHSA-2016:1346 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0@%3Cdev.geode.apache.org%3E
Re: JGroups vulnerabilty - Pony MailThird Party Advisory
-
https://issues.jboss.org/browse/JGRP-2021
[JGRP-2021] ENCRYPT: prevent messages from non-members - JBoss Issue TrackerIssue Tracking;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1345
RHSA-2016:1345 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1331.html
Red Hat Customer PortalBroken Link;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1432
RHSA-2016:1432 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://rhn.redhat.com/errata/RHSA-2016-1330.html
RHSA-2016:1330 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2016:1376
RHSA-2016:1376 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a@%3Cdev.geode.apache.org%3E
JGroups vulnerabilty - Pony MailThird Party Advisory
Jump to