Sign In

GMS-2022-8870

ADVISORY - gitlab

Summary

Impact

The Connection handler in Hazelcast and Hazelcast Jet allows an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

Patches

Hazelcast Jet (and Enterprise) 4.5.4. Hazelcast IMDG (and Enterprise)3.12.13 Hazelcast IMDG (and Enterprise) 4.1.10 Hazelcast IMDG (and Enterprise) 4.2.6 Hazelcast Platform (and Enterprise) 5.1.3

Workarounds

There is no known workaround, but setups with TLS and mutual authentication enabled significantly lowers the exploitation risk.

References

https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2022-36437

Common Weakness Enumeration (CWE)

ADVISORY - gitlab

CWE-1035

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-384

Session Fixation

CWE-937

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

GitLab

CREATED

UPDATED

ADVISORY ID

GMS-2022-8870

EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-1035CWE-384CWE-937

CVSS SCORE

9.1critical