CVE-2022-36437: 
Java vulnerability analysis and mitigation

The Connection handler in Hazelcast and Hazelcast Jet contains a critical vulnerability (CVE-2022-36437) that was disclosed on December 23, 2022. This security flaw affects multiple versions of Hazelcast, including versions through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2, as well as Hazelcast Jet versions through 4.5.3 (GitHub Advisory).

The vulnerability has been assigned a Critical severity rating with a CVSS v3.1 score of 9.1. The CVSS metrics indicate that the vulnerability can be exploited over the network with low attack complexity, requires no privileges or user interaction, and while the scope is unchanged, it has high impact on both confidentiality and integrity (GitHub Advisory).

The vulnerability allows an unauthenticated, remote attacker to access and manipulate data in the cluster by assuming the identity of another authenticated connection. This poses significant risks to data confidentiality and integrity within affected Hazelcast clusters (GitHub Advisory).

Patches have been released to address this vulnerability. Users should upgrade to Hazelcast Jet (and Enterprise) 4.5.4, Hazelcast IMDG (and Enterprise) 3.12.13, 4.1.10, 4.2.6, or Hazelcast Platform (and Enterprise) 5.1.3. While there is no known workaround, implementing TLS and mutual authentication can significantly reduce the risk of exploitation (GitHub Advisory).