https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Bug ID: 1713215 Summary: CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20160426,reported=20190522,sou rce=cve,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H /I:H/A:H,cwe=CWE-502,fedora-all/hazelcast=affected,fus e-6/hazelcast=new,fuse-7/hazelcast=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: aileenc@redhat.com, chazlett@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jochrist@redhat.com, puntogil@libero.it Target Milestone: --- Classification: Other
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization.
Upstream issue:
https://github.com/hazelcast/hazelcast/issues/8024
Upstream pull:
https://github.com/hazelcast/hazelcast/pull/12230
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1713216
--- Comment #1 from Marian Rehak mrehak@redhat.com --- Created hazelcast tracking bugs for this issue:
Affects: fedora-all [bug 1713216]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1713216 [Bug 1713216] CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1713217
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |60426,reported=20190522,sou |60426,reported=20190522,sou |rce=cve,cvss3=8.1/CVSS:3.0/ |rce=cve,cvss3=8.1/CVSS:3.0/ |AV:N/AC:H/PR:N/UI:N/S:U/C:H |AV:N/AC:H/PR:N/UI:N/S:U/C:H |/I:H/A:H,cwe=CWE-502,fedora |/I:H/A:H,cwe=CWE-502,fedora |-all/hazelcast=affected,fus |-all/hazelcast=affected,fus |e-6/hazelcast=new,fuse-7/ha |e-6/hazelcast=affected,fuse |zelcast=new |-7/hazelcast=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Jonathan Christison jochrist@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |avibelli@redhat.com, | |bgeorges@redhat.com, | |jbalunas@redhat.com, | |jpallich@redhat.com, | |krathod@redhat.com, | |lthon@redhat.com, | |mszynkie@redhat.com, | |pgallagh@redhat.com, | |rruss@redhat.com, | |trogers@redhat.com Whiteboard|impact=important,public=201 |impact=important,public=201 |60426,reported=20190522,sou |60426,reported=20190522,sou |rce=cve,cvss3=8.1/CVSS:3.0/ |rce=cve,cvss3=8.1/CVSS:3.0/ |AV:N/AC:H/PR:N/UI:N/S:U/C:H |AV:N/AC:H/PR:N/UI:N/S:U/C:H |/I:H/A:H,cwe=CWE-502,fedora |/I:H/A:H,cwe=CWE-502,fedora |-all/hazelcast=affected,fus |-all/hazelcast=affected,fus |e-6/hazelcast=affected,fuse |e-6/hazelcast=affected,fuse |-7/hazelcast=affected |-7/hazelcast=affected,vertx | |-3/hazelcast=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Kunjan Rathod krathod@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |60426,reported=20190522,sou |60426,reported=20190522,sou |rce=cve,cvss3=8.1/CVSS:3.0/ |rce=cve,cvss3=8.1/CVSS:3.0/ |AV:N/AC:H/PR:N/UI:N/S:U/C:H |AV:N/AC:H/PR:N/UI:N/S:U/C:H |/I:H/A:H,cwe=CWE-502,fedora |/I:H/A:H,cwe=CWE-502,fedora |-all/hazelcast=affected,fus |-all/hazelcast=affected,fus |e-6/hazelcast=affected,fuse |e-6/hazelcast=affected,fuse |-7/hazelcast=affected,vertx |-7/hazelcast=affected,vertx |-3/hazelcast=affected |-3/hazelcast=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
--- Comment #6 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.4.0
Via RHSA-2019:2413 https://access.redhat.com/errata/RHSA-2019:2413
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2019:2413
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2019-08-08 13:18:40
--- Comment #7 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2016-10750
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
--- Comment #8 from Kunjan Rathod krathod@redhat.com --- Statement:
The module vertx-hazelcast is not supported in Red Hat OpenShift Application Runtimes (RHOAR) products.
https://bugzilla.redhat.com/show_bug.cgi?id=1713215 Bug 1713215 depends on bug 1713216, which changed state.
Bug 1713216 Summary: CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1713216
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |WONTFIX
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
--- Doc Text *updated* by Paramvir jindal pjindal@redhat.com --- A flaw was found in Hazelcast where the cluster join procedure is vulnerable to remote code execution via Java deserialization.
https://bugzilla.redhat.com/show_bug.cgi?id=1713215
--- Doc Text *updated* by RaTasha Tillery-Smith rtillery@redhat.com --- A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization.
java-sig-commits@lists.fedoraproject.org