CVE-2016-10750

hazelcast: java deserialization in join cluster procedure leading to remote code execution

Severity Score

8.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

En Hazelcast anterior de la versión 3.11, el procedimiento de apilado o agrupamiento es vulnerable a la ejecución remota de código por medio de la deserialización de Java. Si un atacante puede alcanzar una instancia de acceso a Hazelcast con un JoinRequest creado y existen clases vulnerables en el classpath, el atacante puede ejecutar un código arbitrario.

A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization.

This release of Red Hat Fuse 7.4.0 serves as a replacement for Red Hat Fuse 7.3, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include bypass, code execution, cross site request forgery, and deserialization vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-05-22 CVE Reserved
2019-05-22 CVE Published
2024-08-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-502: Deserialization of Untrusted Data

CAPEC

References (5)

URL	Tag	Source
https://github.com/hazelcast/hazelcast/issues/8024	Issue Tracking
https://github.com/hazelcast/hazelcast/pull/12230	Issue Tracking

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:2413	2019-08-08
https://access.redhat.com/security/cve/CVE-2016-10750	2019-08-08
https://bugzilla.redhat.com/show_bug.cgi?id=1713215	2019-08-08

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hazelcast Search vendor "Hazelcast"		Hazelcast Search vendor "Hazelcast" for product "Hazelcast"				< 3.11 Search vendor "Hazelcast" for product "Hazelcast" and version " < 3.11"		-		Affected