CVE-2016-2141

Impact:
Critical
Public Date:
2016-06-23
Bugzilla:
1313589: CVE-2016-2141 Authorization bypass in JGroups
It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

Find out more about CVE-2016-2141 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

Base Score 7.5
Base Metrics AV:N/AC:L/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Low
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

CVSS v3 metrics

CVSS3 Base Score 9.8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:1331 2016-06-23
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5 Server (jgroups) RHSA-2016:1328 2016-06-23
Red Hat JBoss Portal 6.2 RHSA-2016:1374 2016-06-29
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 6 Server (eap7-jgroups) RHSA-2016:1332 2016-06-23
Red Hat Single Sign-On 7.0 RHSA-2016:1439 2016-07-19
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6 Server (jgroups) RHSA-2016:1328 2016-06-23
JBoss Enterprise BRMS Platform 5.3 RHSA-2016:1345 2016-06-27
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4 AS (jgroups) RHSA-2016:1328 2016-06-23
Red Hat JBoss BRMS 6.3 RHSA-2016:1347 2016-06-27
Red Hat JBoss BRMS 6.3 RHSA-2016:1345 2016-06-27
Red Hat JBoss EAP 7.0 RHSA-2016:1333 2016-06-23
Red Hat JBoss Enterprise Application Platform 7.0 for RHEL 7 Server (eap7-jgroups) RHSA-2016:1332 2016-06-23
Red Hat JBoss Enterprise Application Platform 5.2 RHSA-2016:1329 2016-06-23
Red Hat JBoss Data Grid 6.6 RHSA-2016:1334 2016-06-23
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jgroups) RHSA-2016:1330 2016-06-23
Red Hat JBoss Data Virtualization 6.2 RHSA-2016:1346 2016-06-27
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2016:1435 2016-07-18
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (jgroups) RHSA-2016:1330 2016-06-23
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server RHSA-2016:1434 2016-07-18
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jgroups) RHSA-2016:1330 2016-06-23
Red Hat JBoss Fuse Service Works 6.0 RHSA-2016:1389 2016-07-07
Red Hat JBoss Fuse 6.3 RHSA-2016:2035 2016-10-06
Red Hat JBoss SOA Platform 5.3 RHSA-2016:1376 2016-06-30
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jboss-ec2-eap) RHSA-2016:1432 2016-07-18
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server RHSA-2016:1433 2016-07-18

Affected Packages State

Platform Package State
Red Hat Single Sign-On 7 Clustering Affected
Red Hat JBoss BPMS 6 Clustering Affected
RHEV Manager 3 distribution Not affected

Acknowledgements

This issue was discovered by Dennis Reed (Red Hat).

Mitigation

Please refer to https://access.redhat.com/articles/2360521 for more information.

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.