Bug 13876

Summary: [CVE 21] jgroups 3.6.10 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: critical    
Priority: Highest CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2016-2141,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:27:24 MSK 
Please patch CVEs for package jgroups version 3.6.10
  
INFO (CVEs are): jgroups 3.6.10
 cves found
CVE-2016-2141
Desc: It was found that JGroups did not require necessary headers for encrypt and auth protocols from new nodes joining the cluster. An attacker could use this flaw to bypass security restrictions, and use this vulnerability to send and receive messages within the cluster, leading to information disclosure, message spoofing, or further possible attacks.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-2141
Severity: CRITICAL
Comment 1 Vladimir Potapov 2023-10-20 17:04:54 MSK 
*** Bug 13744 has been marked as a duplicate of this bug. ***
Comment 2 Svyatoslav Matveev 2023-12-12 01:51:15 MSK 
Входит в java-стек, который пока обновляться не будет