CVE-2018-14627

medium

Description

The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>

References

https://security.netapp.com/advisory/ntap-20181221-0002/

https://issues.jboss.org/browse/WFLY-9107

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627

https://access.redhat.com/errata/RHSA-2018:3595

https://access.redhat.com/errata/RHSA-2018:3529

https://access.redhat.com/errata/RHSA-2018:3528

https://access.redhat.com/errata/RHSA-2018:3527

Details

Source: Mitre, NVD

Published: 2018-09-04

Updated: 2019-10-03

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium