CVE-2018-14627

low-risk
Published 2018-09-04

The IIOP OpenJDK Subsystem in WildFly before version 14.0.0 does not honour configuration when SSL transport is required. Servers before this version that are configured with the following setting allow clients to create plaintext connections: <transport-config confidentiality="required" trust-in-target="supported"/>

Do I need to act?

-
0.23% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / HIGH complexity

Affected Products (1)

Wildfly

Affected Vendors

Redhat

References (14)

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3527
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3528
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3529
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3595
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627
Third Party Advisory https://issues.jboss.org/browse/WFLY-9107
https://security.netapp.com/advisory/ntap-20181221-0002/
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3527
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3528
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3529
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3595
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14627
Third Party Advisory https://issues.jboss.org/browse/WFLY-9107
https://security.netapp.com/advisory/ntap-20181221-0002/
23
/ 100
low-risk
Severity 17/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 5/34 · Minimal