CVE-2016-10750 – hazelcast: java deserialization in join cluster procedure leading to remote code execution

https://notcve.org/view.php?id=CVE-2016-10750

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code. En Hazelcast anterior de la versión 3.11, el procedimiento de apilado o agrupamiento es vulnerable a la ejecución remota de código por medio de la deserialización de Java. Si un atacante puede alcanzar una instancia de acceso a Hazelcast con un JoinRequest creado y existen clases vulnerables en el classpath, el atacante puede ejecutar un código arbitrario. A flaw was found in the cluster join procedure in Hazelcast. • https://access.redhat.com/errata/RHSA-2019:2413 https://github.com/hazelcast/hazelcast/issues/8024 https://github.com/hazelcast/hazelcast/pull/12230 https://access.redhat.com/security/cve/CVE-2016-10750 https://bugzilla.redhat.com/show_bug.cgi?id=1713215 • CWE-502: Deserialization of Untrusted Data •