Thanks Mario - Geode uses neither the AUTH nor the ENCRYPT JGroups protocols,
so this doesn't apply.
On 4/7/20, 12:04 PM, "Mario Kevo" <mario.k...@est.tech> wrote:
Hi,
I was trying to understand whether Geode is impacted by a security
vulnerability reported on JGroups
(CVE-2016-2141<https://www.cvedetails.com/cve/CVE-2016-2141/>). The
vulnerability is related to member authentication and communication encryption.
What I could learn from this
RFC<https://cwiki.apache.org/confluence/display/GEODE/Replace+UDP+messaging+for+membership+with+TCP>
is that geode doesn’t utilize the JGroups membership system, but only the UDP
messaging, on top of which a custom encryption system is implemented.
From this I would say that the reported vulnerability doesn’t really apply
to Geode. Nevertheless, I wanted to double-check this.
BR,
Mario
