Vulnerability Description
In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Hazelcast | Hazelcast | < 3.11 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:2413
- https://github.com/hazelcast/hazelcast/issues/8024Issue TrackingThird Party Advisory
- https://github.com/hazelcast/hazelcast/pull/12230Issue TrackingThird Party Advisory
- https://access.redhat.com/errata/RHSA-2019:2413
- https://github.com/hazelcast/hazelcast/issues/8024Issue TrackingThird Party Advisory
- https://github.com/hazelcast/hazelcast/pull/12230Issue TrackingThird Party Advisory
FAQ
What is CVE-2016-10750?
CVE-2016-10750 is a vulnerability with a CVSS score of 8.1 (HIGH). In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest...
How severe is CVE-2016-10750?
CVE-2016-10750 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-10750?
Check the references section above for vendor advisories and patch information. Affected products include: Hazelcast Hazelcast.