Impact
If you are using the Apiman Vert.x Gateway prior to Apiman 3.0.0.Final, a connection caching issue in Hazelcast could allow an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity.
Hazelcast is a transitive dependency of the Apiman Vert.x Gateway.
The precise risk is difficult to quantify at this juncture as plugins deployed by users may make use of Hazelcast in a different manner to the main Apiman codebase.
If any of your custom Apiman plugins specify Hazelcast dependencies, you should also bump these versions.
Hint: an easy way to track Apiman dependency versions is to use apiman-parent.
If you use the Apiman Tomcat or WildFly Gateway this does not affect you.
Patches
Upgrade to Apiman 3.0.0.Final or later.
If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.
Workarounds
None (other than doing your own build).
References
Impact
If you are using the Apiman Vert.x Gateway prior to Apiman 3.0.0.Final, a connection caching issue in Hazelcast could allow an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection's identity.
Hazelcast is a transitive dependency of the Apiman Vert.x Gateway.
The precise risk is difficult to quantify at this juncture as plugins deployed by users may make use of Hazelcast in a different manner to the main Apiman codebase.
If any of your custom Apiman plugins specify Hazelcast dependencies, you should also bump these versions.
Hint: an easy way to track Apiman dependency versions is to use
apiman-parent.If you use the Apiman Tomcat or WildFly Gateway this does not affect you.
Patches
Upgrade to Apiman 3.0.0.Final or later.
If you are using an older version of Apiman and need to remain on that version, contact your Apiman support provider for advice/long-term support.
Workarounds
None (other than doing your own build).
References