I've recently integrated the OWASP Dependency Checker into our build. Our project uses WildFly 10. The OWASP Dependency Checker find several issues related to WildFly 10, one of them is CVE-2016-2141 (see http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2141):
JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors.
The following files were identified from the OWASP Dependency Checker as potentially affected:
As fay as I can tell, WildFly uses JGroups 3.6.6. There is a fix for this CVE via [JGRP-2055] ENCRYPT/AUTH: backport JGRP-2021 to 3.6 branch - JBoss Issue Tracker for Version 3.6.10 and another fix via [JGRP-2021] ENCRYPT: prevent messages from non-members - JBoss Issue Tracker for Version 4.0.
Now my questions: