CVE-2017-15089
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
| Software | From | Fixed in |
|---|---|---|
| infinispan / infinispan | 9.2.0-cr1 | 9.2.0-cr1.x |
| infinispan / infinispan | 9.2.0-beta2 | 9.2.0-beta2.x |
| infinispan / infinispan | 9.2.0-beta1 | 9.2.0-beta1.x |
| infinispan / infinispan | 9.2.0-alpha2 | 9.2.0-alpha2.x |
| infinispan / infinispan | 9.2.0-alpha1 | 9.2.0-alpha1.x |
| infinispan / infinispan | - | 9.1.6.x |
org.infinispan / infinispan-core
|
- | 9.2.0.CR1 |
- http://www.securitytracker.com/id/1040360
- https://access.redhat.com/errata/RHSA-2018:0294
- https://access.redhat.com/errata/RHSA-2018:0478
- https://access.redhat.com/errata/RHSA-2018:0479
- https://access.redhat.com/errata/RHSA-2018:0480
- https://access.redhat.com/errata/RHSA-2018:0481
- https://access.redhat.com/errata/RHSA-2018:0501
- https://access.redhat.com/errata/RHSA-2019:1326
- https://github.com/infinispan/infinispan/pull/5639
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime