// For flags

CVE-2016-2141

JGroups: Authorization bypass

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

JGroups en versiones anteriores a 4.0 no solicita las cabeceras adecuadas para los protocolos ENCRYPT y AUTH desde los nodos uniéndose al grupo, lo que permite a atacantes remotos eludir las restricciones de seguridad y enviar y recibir mensajes dentro del grupo a través de vectores no especificados.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. This release of Red Hat JBoss Enterprise Application Platform 6.4.9 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.8, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References. Security Fix: It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-01-29 CVE Reserved
  • 2016-06-24 CVE Published
  • 2024-08-05 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
CAPEC
References (27)
URL Tag Source
http://www.securityfocus.com/bid/91481 Vdb Entry
http://www.securitytracker.com/id/1036165 Broken Link
https://lists.apache.org/thread.html/ra18cac97416abc2958db0b107877c31da28d884fa6e70fd89c87384a%40%3Cdev.geode.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb37cc937d4fc026fb56de4b4ec0d054aa4083c1a4edd0d8360c068a0%40%3Cdev.geode.apache.org%3E Mailing List
URL Date SRC
URL Date SRC
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html 2023-11-07
URL Date SRC
http://rhn.redhat.com/errata/RHSA-2016-1435.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2016-1439.html 2023-11-07
http://rhn.redhat.com/errata/RHSA-2016-2035.html 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1345 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1346 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1347 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1374 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1376 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1389 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1432 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1433 2023-11-07
https://access.redhat.com/errata/RHSA-2016:1434 2023-11-07
https://issues.jboss.org/browse/JGRP-2021 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1328.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1329.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1330.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1331.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1332.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1333.html 2023-11-07
https://rhn.redhat.com/errata/RHSA-2016-1334.html 2023-11-07
https://access.redhat.com/security/cve/CVE-2016-2141 2016-10-06
https://bugzilla.redhat.com/show_bug.cgi?id=1313589 2016-10-06
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 5.2
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 5.0
Search vendor "Redhat" for product "Enterprise Linux" and version "5.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 5.2
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 6.0
Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 5.2
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "5.2"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 6.4
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 5.0
Search vendor "Redhat" for product "Enterprise Linux" and version "5.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 6.4
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 6.0
Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 6.4
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "6.4"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 5.0
Search vendor "Redhat" for product "Enterprise Linux" and version "5.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 6.0
Search vendor "Redhat" for product "Enterprise Linux" and version "6.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jboss Enterprise Application Platform
Search vendor "Redhat" for product "Jboss Enterprise Application Platform"
 7.0
Search vendor "Redhat" for product "Jboss Enterprise Application Platform" and version "7.0"
-
Affected
in Redhat
Search vendor "Redhat"
 Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
 7.0
Search vendor "Redhat" for product "Enterprise Linux" and version "7.0"
-
Safe
Redhat
Search vendor "Redhat"
 Jgroups
Search vendor "Redhat" for product "Jgroups"
 < 4.0
Search vendor "Redhat" for product "Jgroups" and version " < 4.0"
-
Affected