CVE-2016-2141 in WildFly 10

brianpreuss Aug 12, 2016 1:58 AM

Hi there,

I've recently integrated the OWASP Dependency Checker into our build. Our project uses WildFly 10. The OWASP Dependency Checker find several issues related to WildFly 10, one of them is CVE-2016-2141 (see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2141):

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.

The following files were identified from the OWASP Dependency Checker as potentially affected:

wildfly-10.0.0.Final/modules/system/layers/base/org/jboss/as/clustering/jgroups/main/wildfly-clustering-jgroups-extension-10.0.0.Final.jar
wildfly-10.0.0.Final/modules/system/layers/base/org/wildfly/clustering/jgroups/api/main/wildfly-clustering-jgroups-api-10.0.0.Final.jar

As fay as I can tell, WildFly uses JGroups 3.6.6. There is a fix for this CVE via [JGRP-2055] ENCRYPT/AUTH: backport JGRP-2021 to 3.6 branch - JBoss Issue Tracker for Version 3.6.10 and another fix via [JGRP-2021] ENCRYPT: prevent messages from non-members - JBoss Issue Tracker for Version 4.0.

Now my questions:

Are there any plans to provided a patched WildFly with JGroups 3.6.10?
How do you rate the risk coming from this security issue with WildFly 10?
Are there any workarounds?
Should I patch WildFly by hand as long there is no official fix for this issue?

Regards,

Brian Preuß

Koblenz, Germany

1. Re: CVE-2016-2141 in WildFly 10

brianpreuss Aug 12, 2016 2:28 AM (in response to brianpreuss)

Ok in the meantime I found [WFLY-6794] Upgrade JGroups to 3.6.10.Final - JBoss Issue Tracker which updates JGroups to 3.6.10 in WildFly 10.1.0.CR1, which answers my first question.
Actions