Thanks Mario - Geode uses neither the AUTH nor the ENCRYPT JGroups protocols, so this doesn't apply.
On 4/7/20, 12:04 PM, "Mario Kevo" <mario.k...@est.tech> wrote: Hi, I was trying to understand whether Geode is impacted by a security vulnerability reported on JGroups (CVE-2016-2141<https://www.cvedetails.com/cve/CVE-2016-2141/>). The vulnerability is related to member authentication and communication encryption. What I could learn from this RFC<https://cwiki.apache.org/confluence/display/GEODE/Replace+UDP+messaging+for+membership+with+TCP> is that geode doesn’t utilize the JGroups membership system, but only the UDP messaging, on top of which a custom encryption system is implemented. From this I would say that the reported vulnerability doesn’t really apply to Geode. Nevertheless, I wanted to double-check this. BR, Mario