Vulnerability Name:

CVE-2018-14627 (CCN-149619)

Assigned:2018-09-04
Published:2018-09-04
Updated:2019-10-03
Summary:The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.9 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-319
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2018-14627

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:3527

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:3528

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:3529

Source: REDHAT
Type: Third Party Advisory
RHSA-2018:3595

Source: CCN
Type: Red Hat Bugzilla – Bug 1624664
(CVE-2018-14627) CVE-2018-14627 JBoss/WildFly: iiop does not honour strict transport confidentiality

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627

Source: XF
Type: UNKNOWN
wildfly-cve201814627-weak-security(149619)

Source: CONFIRM
Type: Third Party Advisory
https://issues.jboss.org/browse/WFLY-9107

Source: CCN
Type: WFLY-9107
Block non-SSL IIOP port when SSL transport is required

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20181221-0002/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:redhat:wildfly:*:*:*:*:*:*:*:* (Version < 14.0.0)

    • * Denotes that component is vulnerable
    BACK
    redhat wildfly *