infinispan CVE-2017-2638 Authentication Bypass Vulnerability

infinispan is prone to an authentication-bypass vulnerability.

An attacker can exploit this issue to bypass the authentication mechanism and obtain sensitive information. This may aid in further attacks.

Versions prior to infinispan 9.0.0.Final are vulnerable.

Information

Bugtraq ID: 97964
Class: Access Validation Error
CVE: CVE-2017-2638

Remote: Yes
Local: No
Published: Apr 19 2017 12:00AM
Updated: Apr 24 2017 03:08PM
Credit: Jonathan Mason (Red Hat).
Vulnerable: Redhat JBoss Data Grid 6.0
infinispan infinispan 8.2.6.Final
infinispan infinispan 8.2.5.Final
infinispan infinispan 8.2.4.Final
infinispan infinispan 8.1.7.Final
infinispan infinispan 8.1.6.Final

Not Vulnerable: Redhat JBoss Data Grid 7.1.0
infinispan infinispan 9.0.0.Final
infinispan infinispan 9.0.0.CR3

Exploit

Currently, we are not aware of any working exploits. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].

References:

• ISPN-7485 Restore REST authentication #4936 (infinispan)
  
• Restore authentication functionality on the REST connector (jboss.org)
  
• Bug 1428564 - (CVE-2017-2638) CVE-2017-2638 infinispan: auth bypass in REST api (Redhat)
  
• RHSA-2017:1097-1: Red Hat JBoss Data Grid 7.1 (Redhat)
  

Source: www.securityfocus.com