CVE-2018-14627

Name of the Vulnerable Software and Affected Versions WildFly versions prior to 14.0.0

Description The issue concerns the IIOP OpenJDK Subsystem in WildFly, where the configuration is not honored when SSL transport is required. Specifically, servers configured with the setting <transport-config confidentiality="required" trust-in-target="supported"/> allow clients to create plaintext connections, despite the requirement for SSL transport.

Recommendations For versions prior to 14.0.0, update to version 14.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the IIOP OpenJDK Subsystem or restricting its use to minimize the risk of exploitation. Avoid using the <transport-config> setting with confidentiality="required" until the issue is resolved.