https://bugzilla.redhat.com/show_bug.cgi?id=1713215
Bug ID: 1713215 Summary: CVE-2016-10750 hazelcast: java deserialization in join cluster procedure leading to remote code execution Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20160426,reported=20190522,sou rce=cve,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H /I:H/A:H,cwe=CWE-502,fedora-all/hazelcast=affected,fus e-6/hazelcast=new,fuse-7/hazelcast=new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: aileenc@redhat.com, chazlett@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jochrist@redhat.com, puntogil@libero.it Target Milestone: --- Classification: Other
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization.
Upstream issue:
https://github.com/hazelcast/hazelcast/issues/8024
Upstream pull:
https://github.com/hazelcast/hazelcast/pull/12230