{
  "threat_severity" : "Important",
  "public_date" : "2016-04-26T00:00:00Z",
  "bugzilla" : {
    "description" : "hazelcast: java deserialization in join cluster procedure leading to remote code execution",
    "id" : "1713215",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1713215"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.1",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-502",
  "details" : [ "In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.", "A flaw was found in the cluster join procedure in Hazelcast. This flaw allows an attacker to gain remote code execution via Java deserialization." ],
  "statement" : "The module vertx-hazelcast is not supported in Red Hat OpenShift Application Runtimes (RHOAR) products.",
  "affected_release" : [ {
    "product_name" : "Red Hat Fuse 7.4.0",
    "release_date" : "2019-08-08T00:00:00Z",
    "advisory" : "RHSA-2019:2413",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "hazelcast"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Affected",
    "package_name" : "hazelcast",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat OpenShift Application Runtimes",
    "fix_state" : "Will not fix",
    "package_name" : "hazelcast",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-10750\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-10750" ],
  "name" : "CVE-2016-10750",
  "csaw" : false
}