#VU71593 Session Fixation in Hazelcast Jet and Hazelcast - CVE-2022-36437

Cybersecurity Help s.r.o.

Published: 2023-01-27 | Updated: 2023-02-08

Vulnerability identifier: #VU71593

Vulnerability risk: High

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2022-36437

CWE-ID: CWE-384

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Hazelcast Jet
Server applications / Other server solutions
Hazelcast
Server applications / Other server solutions

Vendor: Hazelcast

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to a connection caching issue. A unauthenticated attacker can access and manipulate data in the cluster with the identity of another already authenticated connection.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Hazelcast Jet: 0.1 - 4.5.3

Hazelcast: before 3.12.13, 4.1.10, 4.2.6, 5.0.4, 5.1.3, 3.12.13, 3.12.13, 3.12.13, 3.12.13, 3.12.13

External links
https://github.com/hazelcast/hazelcast/security/advisories/GHSA-c5hg-mr8r-f6jp

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Fuse 7

Multiple vulnerabilities in IBM Voice Gateway

Multiple vulnerabilities in Red Hat Fuse 7.11

Session fixation in Hazelcast