13533 2023-08-24 00:20:15 +0300 [CVE 21] hazelcast 3.2.2 CVEs found 2023-10-20 16:56:09 +0300 1 1 2 ROSA-based products ROSA Fresh System (kernel, glibc, systemd, bash, PAM...) All All Linux RESOLVED DUPLICATE 13857 CVE-2016-10750, CVE-2022-36437, Normal normal --- 1 y.tumanov bugs e.kosachev s.matveev v.potapov y.tumanov 2021.1 oldest_to_newest 68900 0 y.tumanov 2023-08-24 00:20:15 +0300 Please patch CVEs for package hazelcast version 3.2.2 INFO (CVEs are): hazelcast 3.2.2 cves found CVE-2016-10750 Desc: In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code. Link: https://nvd.nist.gov/vuln/detail/CVE-2016-10750 Severity: HIGH CVE-2022-36437 Desc: The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3. Link: https://nvd.nist.gov/vuln/detail/CVE-2022-36437 Severity: CRITICAL 70171 1 v.potapov 2023-10-20 16:56:03 +0300 *** This bug has been marked as a duplicate of bug 13857 ***