CVSS Summary
| Score | 7.2 High |
|---|---|
| Vector | Local |
| Complexity | Low |
| Authentication | None |
| Confidentiality | Complete |
| Integrity | Complete |
| Availability | Complete |
Advisory:
Xen Mobile contains a vulnerable version of Hazelcast, remote code execution via object serialisation
Vulnerability
Last revised:
Xen Mobile runs, inside its firewall, a vulnerable version of a Hazelcast server.
Current state: Fixed
Proof of concept
Hazelcast is an in-memory data grid service used by Xen Mobile. It contains a known vulnerability allowing an attacker to execute code remotely. An attacker able to make requests within the firewall would be able to use this vulnerability to execute arbitrary code.
Advisory timeline
2018-03-28 – Reported to Citrix and acknowledged immediately
2018-05-21 – Issue reported fixed