PT-2016-5024 · Red Hat+1 · Jgroups+1

Dennis Reed

Published

2016-06-30

Updated

2023-04-26

CVE-2016-2141

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions JGroups versions prior to 4.0 JGroups versions 3.6.x prior to 3.6.10.Final JGroups versions 3.2.x prior to 3.2.16.Final

Description The issue allows remote attackers to bypass security restrictions by not requiring necessary headers for the ENCRYPT and AUTH protocols from new nodes joining the cluster. This enables attackers to send and receive messages within the cluster, potentially leading to information disclosure, message spoofing, or further attacks.

Recommendations For JGroups versions prior to 3.2.16.Final, update to version 3.2.16.Final or later. For JGroups versions prior to 3.6.10.Final, update to version 3.6.10.Final or later. For JGroups versions prior to 4.0, update to version 4.0 or later.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2016-2141

GHSA-RC7H-X6CQ-988Q

RHSA-2016:1328

RHSA-2016:1330

RHSA-2016:1332

RHSA-2016:1432

RHSA-2016:1433

RHSA-2016:1434

Affected Products

Debian

Jgroups

PT-2016-5024 · Red Hat+1 · Jgroups+1

CVE-2016-2141

Weakness Enumeration

Related Identifiers

Affected Products

References · 43