You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@geode.apache.org by Anthony Baker <ab...@pivotal.io> on 2020/04/07 23:34:41 UTC

Re: JGroups vulnerabilty

Thanks for asking Mario.  Note that if you want to discuss a security topic prior to public disclosure you can use private@geode.apache.org <ma...@geode.apache.org>.

Anthony


> On Apr 7, 2020, at 12:04 PM, Mario Kevo <ma...@est.tech> wrote:
> 
> Hi,
> 
> 
> I was trying to understand whether Geode is impacted by a security vulnerability reported on JGroups (CVE-2016-2141<https://www.cvedetails.com/cve/CVE-2016-2141/>). The vulnerability is related to member authentication and communication encryption. What I could learn from this RFC<https://cwiki.apache.org/confluence/display/GEODE/Replace+UDP+messaging+for+membership+with+TCP> is that geode doesn’t utilize the JGroups membership system, but only the UDP messaging, on top of which a custom encryption system is implemented.
> 
> 
> 
> From this I would say that the reported vulnerability doesn’t really apply to Geode. Nevertheless, I wanted to double-check this.
> 
> 
> BR,
> 
> Mario
>