1. CVE-Search
  2. CVE-2016-2141
ID CVE-2016-2141
Summary It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
References
Vulnerable Configurations
  • cpe:2.3:a:redhat:jgroups:-:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jgroups:-:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:*:*:*:*:*:*:*
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*
    cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
  • cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
    cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
CVSS
Base: 7.5 (as of 26-04-2023 - 21:15)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:L/Au:N/C:P/I:P/A:P
redhat via4
advisories
  • rhsa
    id RHSA-2016:1328
  • rhsa
    id RHSA-2016:1329
  • rhsa
    id RHSA-2016:1330
  • rhsa
    id RHSA-2016:1331
  • rhsa
    id RHSA-2016:1332
  • rhsa
    id RHSA-2016:1333
  • rhsa
    id RHSA-2016:1334
  • rhsa
    id RHSA-2016:1345
  • rhsa
    id RHSA-2016:1346
  • rhsa
    id RHSA-2016:1347
  • rhsa
    id RHSA-2016:1374
  • rhsa
    id RHSA-2016:1376
  • rhsa
    id RHSA-2016:1389
  • rhsa
    id RHSA-2016:1432
  • rhsa
    id RHSA-2016:1433
  • rhsa
    id RHSA-2016:1434
  • rhsa
    id RHSA-2016:1435
  • rhsa
    id RHSA-2016:1439
  • rhsa
    id RHSA-2016:2035
rpms
  • jgroups-1:2.6.22-2.ep5.el4
  • jgroups-1:2.6.22-2.ep5.el5
  • jgroups-1:2.6.22-2.ep5.el6
  • jgroups-1:3.2.16-1.Final_redhat_1.1.ep6.el5
  • jgroups-1:3.2.16-1.Final_redhat_1.1.ep6.el6
  • jgroups-1:3.2.16-1.Final_redhat_1.1.ep6.el7
  • eap7-jgroups-0:3.6.8-3.Final_redhat_3.1.ep7.el6
  • eap7-jgroups-0:3.6.8-3.Final_redhat_3.1.ep7.el7
  • jboss-ec2-eap-0:7.5.9-2.Final_redhat_2.ep6.el6
  • jboss-ec2-eap-samples-0:7.5.9-2.Final_redhat_2.ep6.el6
  • apache-cxf-0:2.7.18-2.SP1_redhat_1.1.ep6.el6
  • glassfish-jsf-eap6-0:2.1.28-11.SP10_redhat_1.1.ep6.el6
  • hibernate4-validator-0:4.3.3-1.Final_redhat_1.1.ep6.el6
  • hornetq-0:2.3.25-13.SP11_redhat_1.1.ep6.el6
  • jboss-as-appclient-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-cli-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-client-all-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-clustering-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-cmp-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-configadmin-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-connector-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-controller-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-controller-client-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-core-security-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-deployment-repository-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-deployment-scanner-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-domain-http-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-domain-management-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-ee-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-ee-deployment-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-ejb3-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-embedded-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-host-controller-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jacorb-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jaxr-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jaxrs-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jdr-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jmx-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jpa-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jsf-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-jsr77-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-logging-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-mail-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-management-client-content-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-messaging-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-modcluster-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-naming-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-network-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-osgi-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-osgi-configadmin-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-osgi-service-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-picketlink-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-platform-mbean-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-pojo-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-process-controller-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-protocol-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-remoting-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-sar-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-security-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-server-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-system-jmx-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-threads-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-transactions-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-version-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-web-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-webservices-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-weld-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-as-xts-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jboss-jsf-api_2.1_spec-0:2.1.28-6.SP2_redhat_1.1.ep6.el6
  • jboss-msc-0:1.1.6-1.Final_redhat_1.1.ep6.el6
  • jbossas-appclient-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-bundles-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-core-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-domain-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-javadocs-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-modules-eap-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-product-eap-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-standalone-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossas-welcome-content-eap-0:7.5.9-2.Final_redhat_2.1.ep6.el6
  • jbossts-1:4.17.34-1.Final_redhat_1.1.ep6.el6
  • jbossweb-0:7.5.17-1.Final_redhat_1.1.ep6.el6
  • picketlink-bindings-0:2.5.4-11.SP9_redhat_2.1.ep6.el6
  • picketlink-federation-0:2.5.4-11.SP9_redhat_2.1.ep6.el6
  • xalan-j2-eap6-0:2.7.1-11.redhat_11.1.ep6.el6
  • apache-cxf-0:2.7.18-2.SP1_redhat_1.1.ep6.el7
  • glassfish-jsf-eap6-0:2.1.28-11.SP10_redhat_1.1.ep6.el7
  • hibernate4-validator-0:4.3.3-1.Final_redhat_1.1.ep6.el7
  • hornetq-0:2.3.25-13.SP11_redhat_1.1.ep6.el7
  • jboss-as-appclient-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-cli-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-client-all-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-clustering-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-cmp-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-configadmin-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-connector-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-controller-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-controller-client-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-core-security-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-deployment-repository-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-deployment-scanner-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-domain-http-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-domain-management-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-ee-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-ee-deployment-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-ejb3-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-embedded-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-host-controller-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jacorb-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jaxr-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jaxrs-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jdr-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jmx-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jpa-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jsf-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-jsr77-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-logging-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-mail-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-management-client-content-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-messaging-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-modcluster-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-naming-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-network-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-osgi-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-osgi-configadmin-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-osgi-service-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-picketlink-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-platform-mbean-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-pojo-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-process-controller-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-protocol-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-remoting-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-sar-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-security-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-server-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-system-jmx-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-threads-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-transactions-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-version-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-web-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-webservices-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-weld-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-as-xts-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jboss-jsf-api_2.1_spec-0:2.1.28-6.SP2_redhat_1.1.ep6.el7
  • jboss-msc-0:1.1.6-1.Final_redhat_1.1.ep6.el7
  • jbossas-appclient-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-bundles-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-core-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-domain-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-javadocs-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-modules-eap-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-product-eap-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-standalone-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossas-welcome-content-eap-0:7.5.9-2.Final_redhat_2.1.ep6.el7
  • jbossts-1:4.17.34-1.Final_redhat_1.1.ep6.el7
  • jbossweb-0:7.5.17-1.Final_redhat_1.1.ep6.el7
  • picketlink-bindings-0:2.5.4-11.SP9_redhat_2.1.ep6.el7
  • picketlink-federation-0:2.5.4-11.SP9_redhat_2.1.ep6.el7
  • xalan-j2-eap6-0:2.7.1-11.redhat_11.1.ep6.el7
refmap via4
bid 91481
confirm https://issues.jboss.org/browse/JGRP-2021
misc https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
mlist
  • [geode-dev] 20200407 JGroups vulnerabilty
  • [geode-dev] 20200407 Re: JGroups vulnerabilty
sectrack 1036165
Last major update 26-04-2023 - 21:15
Published 30-06-2016 - 16:59
Last modified 26-04-2023 - 21:15
Back to Top