Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
Hazelcast is vulnerable to untrusted deserialization remote code execution #8024
I emailed the support address on April 17 and received a response indicating that I should report my findings here. So here we are.
The Hazelcast cluster join procedure is vulnerable to remote code execution due to Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted
This was verified against the latest code from the Git repository, as well as releases 3.7 and 3.2.1.
I have a small whitelist/blacklist filter patch that I can submit a PR for, once I'm cleared to do so. I've already emailed the signed form. Or if you have another solution, feel free!
If you choose to go the filtering route, the Hazelcast team should probably create a default whitelist for serialization, because blacklists are almost always out of date as soon as they are created.
referenced this issue
Apr 26, 2016
The issue is not resolved yet. Users using Enterprise edition can avoid the untrusted deserialization in member joining procedure by
If the member discovery mode is UDP multicast, then only the symmetric encryption avoids the abuse.