Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNWhnLW1yOHItZjZqcM4AAwnc
Hazelcast connection caching
Impact
The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity.
The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2.
The affected Hazelcast Jet versions are through 4.5.3.
Patches
Hazelcast Jet (and Enterprise) 4.5.4.
Hazelcast IMDG (and Enterprise)3.12.13
Hazelcast IMDG (and Enterprise) 4.1.10
Hazelcast IMDG (and Enterprise) 4.2.6
Hazelcast Platform (and Enterprise) 5.1.3
Workarounds
There is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.
References
https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437
Permalink: https://github.com/advisories/GHSA-c5hg-mr8r-f6jpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNWhnLW1yOHItZjZqcM4AAwnc
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-c5hg-mr8r-f6jp, CVE-2022-36437
References:
- https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp
- https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437
- https://nvd.nist.gov/vuln/detail/CVE-2022-36437
- https://github.com/advisories/GHSA-c5hg-mr8r-f6jp
Blast Radius: 36.6
Affected Packages
maven:com.hazelcast:hazelcast-enterprise
Affected Version Ranges: >= 5.1, <= 5.1.2, >= 5.0, <= 5.0.3, >= 4.2, <= 4.2.5, >= 4.1, <= 4.1.9, >= 4.0, <= 4.0.6, <= 3.12.12Fixed in: 5.1.3, 5.0.4, 4.2.6, 4.1.10, , 3.12.13
maven:com.hazelcast.jet:hazelcast-jet-enterprise
Affected Version Ranges: <= 4.5.3Fixed in: 4.5.4
maven:com.hazelcast.jet:hazelcast-jet
Dependent packages: 27Dependent repositories: 275
Downloads:
Affected Version Ranges: <= 4.5.3
Fixed in: 4.5.4
All affected versions: 0.3.1, 0.5.1, 0.6.1, 0.7.1, 0.7.2, 3.2.1, 3.2.2, 4.1.1, 4.3.1, 4.5.1, 4.5.2, 4.5.3
All unaffected versions: 4.5.4
maven:com.hazelcast:hazelcast
Dependent packages: 607Dependent repositories: 10,433
Downloads:
Affected Version Ranges: >= 5.1, <= 5.1.2, >= 5.0, <= 5.0.3, >= 4.2, <= 4.2.5, >= 4.1, <= 4.1.9, >= 4.0, <= 4.0.6, <= 3.12.12
Fixed in: 5.1.3, 5.0.4, 4.2.6, 4.1.10, , 3.12.13
All affected versions: 1.9.2, 1.9.3, 1.9.4, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.1, 2.1.2, 2.1.3, 2.3.1, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 3.0.1, 3.0.2, 3.0.3, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.4.1, 3.4.2, 3.4.5, 3.4.6, 3.4.7, 3.4.8, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 3.5.5, 3.6.1, 3.6.2, 3.6.3, 3.6.4, 3.6.5, 3.6.6, 3.6.7, 3.6.8, 3.7.1, 3.7.2, 3.7.3, 3.7.4, 3.7.5, 3.7.6, 3.7.7, 3.7.8, 3.8.1, 3.8.2, 3.8.3, 3.8.4, 3.8.5, 3.8.6, 3.8.7, 3.8.8, 3.8.9, 3.9.1, 3.9.2, 3.9.3, 3.9.4, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.10.6, 3.10.7, 3.11.1, 3.11.2, 3.11.3, 3.11.4, 3.11.5, 3.11.6, 3.11.7, 3.12.1, 3.12.2, 3.12.3, 3.12.4, 3.12.5, 3.12.6, 3.12.7, 3.12.8, 3.12.9, 3.12.10, 3.12.11, 3.12.12, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 5.0.1, 5.0.2, 5.0.3, 5.1.1, 5.1.2
All unaffected versions: 3.12.13, 4.1.10, 4.2.6, 4.2.7, 4.2.8, 5.0.4, 5.0.5, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.3.0, 5.3.1, 5.3.2, 5.3.4, 5.3.5, 5.3.6, 5.3.7