Hazelcast Cluster Join Procedure Remote Code Execution Vulnerability

By GIXnews


A vulnerability in Hazelcast could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability exists because the cluster join procedure feature of the affected software allows for the deserialization of untrusted input. An attacker could exploit this vulnerability by sending a JoinRequest that submits malicious input to a targeted, listening Hazelcast instance. If vulnerable classes exist in the classpath on the system, a successful exploit could allow the attacker to execute arbitrary code.

Hazelcast has confirmed the vulnerability and released a software update.

Security Impact Rating: High

CVE: CVE-2016-10750

Source:: Cisco Multivendor Vulnerability Alerts