Re: JGroups vulnerabilty

2020-04-07 Thread Anthony Baker 
Thanks for asking Mario.  Note that if you want to discuss a security topic 
prior to public disclosure you can use priv...@geode.apache.org 
.

Anthony


> On Apr 7, 2020, at 12:04 PM, Mario Kevo  wrote:
> 
> Hi,
> 
> 
> I was trying to understand whether Geode is impacted by a security 
> vulnerability reported on JGroups 
> (CVE-2016-2141). The 
> vulnerability is related to member authentication and communication 
> encryption. What I could learn from this 
> RFC
>  is that geode doesn’t utilize the JGroups membership system, but only the 
> UDP messaging, on top of which a custom encryption system is implemented.
> 
> 
> 
> From this I would say that the reported vulnerability doesn’t really apply to 
> Geode. Nevertheless, I wanted to double-check this.
> 
> 
> BR,
> 
> Mario
>

Re: JGroups vulnerabilty

2020-04-07 Thread Bruce Schuchardt 
Thanks Mario -  Geode uses neither the AUTH nor the ENCRYPT JGroups protocols, 
so this doesn't apply.

On 4/7/20, 12:04 PM, "Mario Kevo"  wrote:

Hi,


I was trying to understand whether Geode is impacted by a security 
vulnerability reported on JGroups 
(CVE-2016-2141). The 
vulnerability is related to member authentication and communication encryption. 
What I could learn from this 
RFC
 is that geode doesn’t utilize the JGroups membership system, but only the UDP 
messaging, on top of which a custom encryption system is implemented.



From this I would say that the reported vulnerability doesn’t really apply 
to Geode. Nevertheless, I wanted to double-check this.


BR,

Mario

JGroups vulnerabilty

2020-04-07 Thread Mario Kevo 
Hi,


I was trying to understand whether Geode is impacted by a security 
vulnerability reported on JGroups 
(CVE-2016-2141). The 
vulnerability is related to member authentication and communication encryption. 
What I could learn from this 
RFC
 is that geode doesn’t utilize the JGroups membership system, but only the UDP 
messaging, on top of which a custom encryption system is implemented.



>From this I would say that the reported vulnerability doesn’t really apply to 
>Geode. Nevertheless, I wanted to double-check this.


BR,

Mario