🔍 Overview
eptos base module utilizes a third-party component hazelcast as part of its core services.
CVE-2026-27727, CVE-2022-36437 was reported as vulnerability which is impacting hazelcast.
Update to newer build of eptos-base-module image is advised.
|
Summary |
eptos Base Module Image Update Required because of Hazelcast vulnerabilities |
|---|---|
|
Advisory Release Date |
2.6.2026 |
|
Products |
eptos Base Module |
|
Affected Releases |
prior to eptos 6.8 |
|
Fixed Releases |
eptos 6.8 |
|
CVE ID |
CVE-2026-27727, CVE-2022-36437 |
|
Issue ID |
BASE-2395 |
|
Further information |
|
Summary
CVE-2026-27727 : mchange‑commons‑java is a Java utility library that includes its own implementation of JNDI reference resolution, modeled after early JDK behavior. Its custom JNDI implementation supports remote factory values, meaning it can download and execute Java classes from external URLs during reference resolution. An attacker can supply a malicious reference. The application may then fetch and execute attacker-controlled code results in remote code execution.
see: https://nvd.nist.gov/vuln/detail/cve-2026-27727
CVE‑2022‑36437 is a critical vulnerability in Hazelcast where the connection handler allows a remote, unauthenticated attacker to impersonate an authenticated connection, enabling unauthorized access and manipulation of cluster data.
see: https://nvd.nist.gov/vuln/detail/cve-2022-36437
Software Fixes
-
The fix is contained in standard delivery of eptos-base-module starting eptos 6.8
What you need to do
We recommend upgrading to eptos 6.8 or later.
For earlier releases still under maintenance, the fix can be provided via the download repository upon request. Please contact your solution manager for access.
Mitigation
There is no mitigation known.
Support
If you have questions or concerns regarding this advisory, check back with support (at) paradine,at.