Bug 13725

Summary: [CVE 21] hazelcast 3.2.2 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: All   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2016-10750, CVE-2022-36437,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:01:33 MSK 
Please patch CVEs for package hazelcast version 3.2.2
  
INFO (CVEs are): hazelcast 3.2.2
 cves found
CVE-2016-10750
Desc: In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-10750
Severity: HIGH
CVE-2022-36437
Desc: The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-36437
Severity: CRITICAL
Comment 1 Vladimir Potapov 2023-10-20 16:55:53 MSK 

*** This bug has been marked as a duplicate of bug 13857 ***