<html>
    <head>
      <base href="https://bugzilla.rosalinux.ru/">
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Platform</th>
          <td>2021.1
          </td>
        </tr>

        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_CONFIRMED "
   title="CONFIRMED - [CVE 21] hazelcast 3.2.2 CVEs found"
   href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13533">13533</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>[CVE 21] hazelcast 3.2.2  CVEs found
          </td>
        </tr>

        <tr>
          <th>Classification</th>
          <td>ROSA-based products
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>ROSA Fresh
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>URL</th>
          <td>CVE-2016-10750, CVE-2022-36437,
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>Linux
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>CONFIRMED
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>normal
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>Normal
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>System (kernel, glibc, systemd, bash, PAM...)
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>QA Contact</th>
          <td>bugs&#64;lists.rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>CC</th>
          <td>e.kosachev&#64;rosalinux.ru, s.matveev&#64;rosalinux.ru, y.tumanov&#64;rosalinux.ru
          </td>
        </tr>

        <tr>
          <th>Target Milestone</th>
          <td>---
          </td>
        </tr>

        <tr>
          <th>Flags</th>
          <td>secteam_verified?
          </td>
        </tr></table>
      <p>
        <div>
        <pre>Please patch CVEs for package hazelcast version 3.2.2

INFO (CVEs are): hazelcast 3.2.2
 cves found
CVE-2016-10750
Desc: In Hazelcast before 3.11, the cluster join procedure is vulnerable to
remote code execution via Java deserialization. If an attacker can reach a
listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes
exist in the classpath, the attacker can run arbitrary code.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-10750">https://nvd.nist.gov/vuln/detail/CVE-2016-10750</a>
Severity: HIGH
CVE-2022-36437
Desc: The Connection handler in Hazelcast and Hazelcast Jet allows a remote
unauthenticated attacker to access and manipulate data in the cluster with the
identity of another already authenticated connection. The affected Hazelcast
versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected
Hazelcast Jet versions are through 4.5.3.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-36437">https://nvd.nist.gov/vuln/detail/CVE-2022-36437</a>
Severity: CRITICAL</pre>
        </div>
      </p>


      <hr>
      <span>You are receiving this mail because:</span>

      <ul>
          <li>You are the QA Contact for the bug.</li>
          <li>You are the assignee for the bug.</li>
      </ul>
    </body>
</html>