GMS-2022-9213: Apiman Vert.x Gateway has Transitive Hazelcast connection caching issue
Impact
If you are using the Apiman Vert.x Gateway prior to Apiman 3.0.0.Final, a connection caching issue in Hazelcast could allow an unauthenticated, remote attacker to access and manipulate data in the cluster with another authenticated connection’s identity.
Hazelcast is a transitive dependency of the Apiman Vert.x Gateway.
The precise risk is difficult to quantify at this juncture as plugins deployed by users may make use of Hazelcast in a different manner to the main Apiman codebase.
If any of your custom Apiman plugins specify Hazelcast dependencies, you should also bump these versions.
Hint: an easy way to track Apiman dependency versions is to use apiman-parent
.
If you use the Apiman Tomcat or WildFly Gateway this does not affect you.
Patches
Upgrade to Apiman 3.0.0.Final or later.
If you are using an older version of Apiman and need to remain on that version, contact to your Apiman support provider for advice/long-term support.
Workarounds
None (other than doing your own build).
References
References
Detect and mitigate GMS-2022-9213 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →