CVE-2022-36437
Description
Hazelcast and Hazelcast Jet connection handler vulnerability allows remote unauthenticated attackers to impersonate authenticated users and access or manipulate cluster data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hazelcast and Hazelcast Jet connection handler vulnerability allows remote unauthenticated attackers to impersonate authenticated users and access or manipulate cluster data.
Vulnerability
Overview
The Connection handler in Hazelcast and Hazelcast Jet contains a flaw that allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection [1][3]. This issue stems from improper handling of connection identities, enabling session hijacking without prior authentication.
Exploitation
An attacker can exploit this vulnerability by sending specially crafted network requests to a vulnerable Hazelcast or Hazelcast Jet cluster. No authentication is required, and the attack is remotely exploitable over the network [1]. While enabling TLS with mutual authentication significantly lowers the risk, it does not fully eliminate the vulnerability [3].
Impact
Successful exploitation grants the attacker the same privileges as an authenticated user, allowing unauthorized access to cluster data and the ability to manipulate that data [1][3]. This could lead to data breaches, data corruption, or further compromise of the cluster and connected systems.
Mitigation
Hazelcast has released patches for the affected versions: Hazelcast Jet 4.5.4, Hazelcast IMDG 3.12.13, 4.1.10, 4.2.6, and Hazelcast Platform 5.1.3 [3]. There is no known workaround, but deploying TLS with mutual authentication reduces the attack surface [3]. Users are strongly advised to upgrade to the patched versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.hazelcast:hazelcastMaven | < 3.12.13 | 3.12.13 |
com.hazelcast:hazelcastMaven | >= 4.0, <= 4.0.6 | — |
com.hazelcast:hazelcastMaven | >= 4.1, < 4.1.10 | 4.1.10 |
com.hazelcast:hazelcastMaven | >= 4.2, < 4.2.6 | 4.2.6 |
com.hazelcast:hazelcastMaven | >= 5.0, < 5.0.4 | 5.0.4 |
com.hazelcast:hazelcastMaven | >= 5.1, < 5.1.3 | 5.1.3 |
com.hazelcast.jet:hazelcast-jetMaven | < 4.5.4 | 4.5.4 |
com.hazelcast.jet:hazelcast-jet-enterpriseMaven | < 4.5.4 | 4.5.4 |
com.hazelcast:hazelcast-enterpriseMaven | < 3.12.13 | 3.12.13 |
com.hazelcast:hazelcast-enterpriseMaven | >= 4.0, <= 4.0.6 | — |
com.hazelcast:hazelcast-enterpriseMaven | >= 4.1, < 4.1.10 | 4.1.10 |
com.hazelcast:hazelcast-enterpriseMaven | >= 4.2, < 4.2.6 | 4.2.6 |
com.hazelcast:hazelcast-enterpriseMaven | >= 5.0, < 5.0.4 | 5.0.4 |
com.hazelcast:hazelcast-enterpriseMaven | >= 5.1, < 5.1.3 | 5.1.3 |
Affected products
5- ghsa-coords4 versionspkg:maven/com.hazelcast/hazelcastpkg:maven/com.hazelcast/hazelcast-enterprisepkg:maven/com.hazelcast.jet/hazelcast-jetpkg:maven/com.hazelcast.jet/hazelcast-jet-enterprise
< 3.12.13+ 3 more
- (no CPE)range: < 3.12.13
- (no CPE)range: < 3.12.13
- (no CPE)range: < 4.5.4
- (no CPE)range: < 4.5.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.