13533 – [CVE 21] hazelcast 3.2.2 CVEs found

Bug 13533 - [CVE 21] hazelcast 3.2.2 CVEs found

Summary: [CVE 21] hazelcast 3.2.2 CVEs found

Status:	RESOLVED DUPLICATE of bug 13857

Alias:	None

Product:	ROSA Fresh
Classification:	ROSA-based products
Component:	System (kernel, glibc, systemd, bash, PAM...) (show other bugs)
Version:	All
Hardware:	All Linux

Importance:	Normal normal
Target Milestone:	---
Assignee:	ROSA Linux Bugs

URL:	CVE-2016-10750, CVE-2022-36437,
Whiteboard:

Depends on:
Blocks:

Reported:	2023-08-24 00:20 MSK by Yury
Modified:	2023-10-20 16:56 MSK (History)
CC List:	4 users (show)

See Also:
Platform:	2021.1
ROSA Vulnerability identifier:
RPM Package:
Upstream:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yury 2023-08-24 00:20:15 MSK

Please patch CVEs for package hazelcast version 3.2.2
  
INFO (CVEs are): hazelcast 3.2.2
 cves found
CVE-2016-10750
Desc: In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-10750
Severity: HIGH
CVE-2022-36437
Desc: The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-36437
Severity: CRITICAL

Comment 1 Vladimir Potapov 2023-10-20 16:56:03 MSK


*** This bug has been marked as a duplicate of bug 13857 ***