Bug 13255

Summary: [CVE 21] jgroups 3.6.10 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Normal CC: m.novosyolov, s.matveev, y.tumanov
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2016-2141,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 13:20:42 MSK 
Please patch CVEs for package jgroups version 3.6.10  
INFO (CVEs are): jgroups 3.6.10 cves found
CVE-2016-2141
Desc: It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-2141
Severity: CRITICAL
Comment 1 Mikhail Novosyolov 2023-05-15 14:15:17 MSK 
В этом пакете пока не будем исправлять CVE в связи с отсутствием его широкого применения и сложностью их закрытия.