CVE-2016-2141

Published on: 06/30/2016 12:00:00 AM UTC

Last Modified on: 03/23/2021 11:27:16 PM UTC

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Certain versions of Jboss Enterprise Application Platform from Redhat contain the following vulnerability:

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.

  • CVE-2016-2141 has been assigned by [email protected] to track the vulnerability - currently rated as - currently rated as CRITICAL severity.

CVSS3 Score: 9.8 - CRITICAL

Attack
Vector
Attack
Complexity
Privileges
Required
User
Interaction
NETWORK LOW NONE NONE
Scope Confidentiality
Impact
Integrity
Impact
Availability
Impact
UNCHANGED HIGH HIGH HIGH

CVSS2 Score: 7.5 - HIGH

Access
Vector
Access
Complexity
Authentication
NETWORK LOW NONE
Confidentiality
Impact
Integrity
Impact
Availability
Impact
PARTIAL PARTIAL PARTIAL

CVE References

Description Tags Link
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1434
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1347
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1333
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1334
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1331
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1345
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1435
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1346
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1439
No Description Provided Vendor Advisory
rhn.redhat.com

Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1329
[JGRP-2021] ENCRYPT: prevent messages from non-members - JBoss Issue Tracker issues.jboss.org
text/html
URL Logo CONFIRM issues.jboss.org/browse/JGRP-2021
JGroups CVE-2016-2141 Authorization Bypass Vulnerability cve.report (archive)
text/html
URL Logo BID 91481
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1433
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1328
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [geode-dev] 20200407 Re: JGroups vulnerabilty
Red Hat Customer Portal web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:2035
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1332
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1374
Pony Mail! lists.apache.org
text/html
URL Logo MLIST [geode-dev] 20200407 JGroups vulnerabilty
JBoss Authentication Flaw in JGroups Lets Remote Users Bypass Security Restrictions on the Target System - SecurityTracker Third Party Advisory
www.securitytracker.com
text/html
URL Logo SECTRACK 1036165
Red Hat Customer Portal Vendor Advisory
access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1389
Red Hat Customer Portal - Access to 24x7 support and knowledge access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1376
Red Hat Customer Portal access.redhat.com
text/html
URL Logo REDHAT RHSA-2016:1432
Red Hat Customer Portal Vendor Advisory
web.archive.org
text/html
Inactive LinkNot Archived
URL Logo REDHAT RHSA-2016:1330
Oracle Critical Patch Update Advisory - April 2019 www.oracle.com
text/html
URL Logo MISC www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Known Affected Configurations (CPE V2.3)

Type Vendor Product Version Update Edition Language
ApplicationRedhatJboss Enterprise Application Platform5.2AllAllAll
ApplicationRedhatJboss Enterprise Application Platform6.4AllAllAll
ApplicationRedhatJboss Enterprise Application Platform7.0AllAllAll
ApplicationRedhatJboss Enterprise Application Platform5.2AllAllAll
ApplicationRedhatJboss Enterprise Application Platform6.4AllAllAll
ApplicationRedhatJboss Enterprise Application Platform7.0AllAllAll
ApplicationRedhatJgroups-AllAllAll
ApplicationRedhatJgroups-AllAllAll
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:5.2:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jgroups:-:*:*:*:*:*:*:*:
  • cpe:2.3:a:redhat:jgroups:-:*:*:*:*:*:*:*: