Bug 13857

Summary: [CVE 21] hazelcast 3.2.2 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED WONTFIX QA Contact: ROSA Linux Bugs <bugs>
Severity: blocker    
Priority: Highest CC: e.kosachev, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2016-10750, CVE-2022-36437,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-10-18 20:26:17 MSK 
Please patch CVEs for package hazelcast version 3.2.2
  
INFO (CVEs are): hazelcast 3.2.2
 cves found
CVE-2016-10750
Desc: In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
Link: https://nvd.nist.gov/vuln/detail/CVE-2016-10750
Severity: HIGH
CVE-2022-36437
Desc: The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-36437
Severity: CRITICAL
Comment 1 Vladimir Potapov 2023-10-20 16:55:53 MSK 
*** Bug 13725 has been marked as a duplicate of this bug. ***
Comment 2 Vladimir Potapov 2023-10-20 16:56:03 MSK 
*** Bug 13533 has been marked as a duplicate of this bug. ***
Comment 3 Svyatoslav Matveev 2023-12-12 01:36:43 MSK 
Входит в java-стек, который пока обновляться не будет