[OKAPI-1152] Hazelcast 4.2.6 fixing improver authentication CVE-2022-36437 - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: TBD
Resolution: Done
Affects Version/s: 4.13.0, 4.13.1, 4.13.2, 4.14.0, 4.14.1, 4.14.2, 4.14.3, 4.14.4, 4.14.5, 4.14.6, 4.14.7
Fix Version/s: 4.13.3, 4.14.8, 4.14.9
Labels:
- security

Template:

Standard Bug Write-Up Format
Sprint:
CP: Sprint 156
Story Points:
1
Development Team:
Core: Platform
RCA Group:
Related dependency upgrade
Affected releases:

Lotus (R1 2022)

Description

Hazelcast up to 4.2.5 allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection:

https://nvd.nist.gov/vuln/detail/CVE-2022-36437

Okapi 4.14.0 - 4.14.7 and 4.13.0 - 4.13.2 and all older versions use a vulnerable Hazelcast version.

Okapi 4.14.8 and all following versions and 4.13.3 and all following 4.13.x versions use the fixed Hazelcast version.

This issue bumps Hazelcast from 4.2.2 to 4.2.6 in the b14.3 branch.

The b14.4 branch had been updated before the security issue was published: https://github.com/folio-org/okapi/releases/tag/v4.14.8

TestRail: Results

Attachments

Issue Links

relates to

MODEUSHARV-78 Hazelcast 4.2.6 fixing improper authentication CVE-2022-36437, RMB 35.0.4, Vert.x 4.3.7

Closed

OKAPI-1153 Release Okapi 4.13.3

Closed

OKAPI-1137 Upgrade to Hazelcast 4.2.6

Closed

Activity

People

Assignee:: Julian Ladisch

Reporter:: Julian Ladisch

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 14/Jan/23 2:32 PM

Updated:: 22/Mar/23 1:11 PM

Resolved:: 15/Jan/23 5:47 PM

Hazelcast 4.2.6 fixing improver authentication CVE-2022-36437