CVE-2022-36437

Name of the Vulnerable Software and Affected Versions Hazelcast versions prior to 3.12.13 Hazelcast versions prior to 4.1.10 Hazelcast versions prior to 4.2.6 Hazelcast versions prior to 5.1.3 Hazelcast Jet versions prior to 4.5.4

Description The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. If you are using the Apiman Vert.x Gateway prior to Apiman 3.0.0.Final, a connection caching issue in Hazelcast could allow an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity. The precise risk is difficult to quantify as plugins deployed by users may make use of Hazelcast in a different manner to the main Apiman codebase.

Recommendations Upgrade Hazelcast to version 3.12.13 or later. Upgrade Hazelcast to version 4.1.10 or later. Upgrade Hazelcast to version 4.2.6 or later. Upgrade Hazelcast to version 5.1.3 or later. Upgrade Hazelcast Jet to version 4.5.4 or later. As a temporary workaround, consider enabling TLS and mutual authentication to significantly lower the exploitation risk. If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.