Xen Mobile contains a vulnerable version of Hazelcast, remote code execution via object serialisation


Last revised:

Xen Mobile runs, inside its firewall, a vulnerable version of a Hazelcast server.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 7.2 High
Vector Local
Complexity Low
Authentication None
Confidentiality Complete
Integrity Complete
Availability Complete
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Advisory timeline

2018-03-28 – Reported to Citrix and acknowledged immediately

2018-05-21 – Issue reported fixed