CVE-2022-36437: Hazelcast connection caching

The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 3.12.12, 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.

An unauthorized user is able to run protected client tasks if her connection ID is equal to an already authenticated user’s existing one. The check if the client endpoint is trusted is done against a Map<Connection, ClientEndpoint>. With only the int-typed connection ID in its equals() method compared it’s easy to bypass the check. For the attacker it’s only about spending some time on opening/closing connection in a loop.