GitHub Advisory DatabaseGHSA-C5HG-MR8R-F6JPHazelcast connection caching
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.2%
Impact
The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection’s identity.
The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.
The affected Hazelcast Jet versions are through 4.5.3.
Patches
Hazelcast Jet (and Enterprise) 4.5.4.
Hazelcast IMDG (and Enterprise)3.12.13
Hazelcast IMDG (and Enterprise) 4.1.10
Hazelcast IMDG (and Enterprise) 4.2.6
Hazelcast Platform (and Enterprise) 5.1.3
Workarounds
There is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.
References
https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437
Related
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
54.2%