1 Reply Latest reply on Aug 12, 2016 2:28 AM by Brian Preuß

    CVE-2016-2141 in WildFly 10

    Brian Preuß Newbie

      Hi there,

       

      I've recently integrated the OWASP Dependency Checker into our build. Our project uses WildFly 10. The OWASP Dependency Checker find several issues related to WildFly 10, one of them is CVE-2016-2141 (see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2141):

       

      JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.


      The following files were identified from the OWASP Dependency Checker as potentially affected:

      • wildfly-10.0.0.Final/modules/system/layers/base/org/jboss/as/clustering/jgroups/main/wildfly-clustering-jgroups-extension-10.0.0.Final.jar
      • wildfly-10.0.0.Final/modules/system/layers/base/org/wildfly/clustering/jgroups/api/main/wildfly-clustering-jgroups-api-10.0.0.Final.jar

       

      As fay as I can tell, WildFly uses JGroups 3.6.6. There is a fix for this CVE via [JGRP-2055] ENCRYPT/AUTH: backport JGRP-2021 to 3.6 branch - JBoss Issue Tracker for Version 3.6.10 and another fix via [JGRP-2021] ENCRYPT: prevent messages from non-members - JBoss Issue Tracker for Version 4.0.

       

      Now my questions:

      • Are there any plans to provided a patched WildFly with JGroups 3.6.10?
      • How do you rate the risk coming from this security issue with WildFly 10?
      • Are there any workarounds?
      • Should I patch WildFly by hand as long there is no official fix for this issue?

       

      Regards,

       

      Brian Preuß

      Koblenz, Germany