Impact
Among Hazelcast products, only Hazelcast Management Center has Spring dependencies and hence it can be affected.
Other Hazelcast products, such as Hazelcast Platform and IMDG do not use Spring, so they are not affected.
Below are the conditions required for your Hazelcast Management Center setup to be vulnerable:
Running on JDK 9 or higher
Using Apache Tomcat as the Servlet container.
Your application is deployed as a file type WAR.
Patches
Hazelcast Management Center is patched with an emergency release on 04/06/2022 with Management Center version 5.1.2. Users are encouraged to upgrade to this version.
Workarounds
Until users can upgrade to a patched Management Center version, below mitigations can be applied:
Using JAR or Docker container instead of WAR.
Using Java 8.
Using a servlet container other than Tomcat.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
sertugkaya Analyst
Impact
Among Hazelcast products, only Hazelcast Management Center has Spring dependencies and hence it can be affected.
Other Hazelcast products, such as Hazelcast Platform and IMDG do not use Spring, so they are not affected.
Below are the conditions required for your Hazelcast Management Center setup to be vulnerable:
Running on JDK 9 or higher
Using Apache Tomcat as the Servlet container.
Your application is deployed as a file type WAR.
Patches
Hazelcast Management Center is patched with an emergency release on 04/06/2022 with Management Center version 5.1.2. Users are encouraged to upgrade to this version.
Workarounds
Until users can upgrade to a patched Management Center version, below mitigations can be applied:
Using JAR or Docker container instead of WAR.
Using Java 8.
Using a servlet container other than Tomcat.
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory: