CVE-2023-33265
📋 TL;DR
This vulnerability allows authenticated users in Hazelcast clusters to bypass permission checks for executor services, enabling them to execute tasks on cluster members without proper authorization. It affects Hazelcast versions 5.0.4 and earlier, 5.1.0 through 5.1.6, and 5.2.0 through 5.2.3.
💻 Affected Systems
- Hazelcast
- Hazelcast IMDG
- Hazelcast Jet
📦 What is this software?
Hazelcast by Hazelcast
Hazelcast by Hazelcast
Hazelcast by Hazelcast
Hazelcast by Hazelcast
Hazelcast by Hazelcast
Hazelcast by Hazelcast
Imdg by Hazelcast
⚠️ Risk & Real-World Impact
Worst Case
Authenticated attackers could execute arbitrary code on cluster members, potentially leading to full cluster compromise, data exfiltration, or denial of service.
Likely Case
Privilege escalation where authenticated users gain unauthorized access to execute tasks beyond their assigned permissions, potentially disrupting cluster operations.
If Mitigated
Limited impact with proper network segmentation and strict authentication controls, though privilege escalation risk remains.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.5, 5.1.7, 5.2.4
Vendor Advisory: https://support.hazelcast.com/s/article/Security-Advisory-for-CVE-2023-33265
Restart Required: Yes
Instructions:
1. Download patched version from Hazelcast website. 2. Stop Hazelcast cluster. 3. Replace JAR files with patched versions. 4. Restart cluster. 5. Verify version update.
🔧 Temporary Workarounds
Disable executor services
allTemporarily disable executor services if not required for operations
Configure Hazelcast XML/YAML to remove or disable executor service configurations
Restrict network access
allLimit Hazelcast client connections to trusted networks only
Configure firewall rules to restrict Hazelcast port access (default 5701)
🧯 If You Can't Patch
- Implement strict authentication controls and monitor for unusual executor service usage
- Segment Hazelcast clusters from sensitive systems and implement network-level access controls
🔍 How to Verify
Check if Vulnerable:
Check Hazelcast version using management center or cluster API. If version falls within affected ranges and executor services are enabled, system is vulnerable.Check Version:
hazelcast --version or check Hazelcast logs for version informationVerify Fix Applied:
Verify Hazelcast version is 5.0.5+, 5.1.7+, or 5.2.4+ using version check command or management interface.📡 Detection & Monitoring
Log Indicators:
- Unauthorized executor service invocations
- Permission denied errors for executor tasks
- Unusual task execution patterns
Network Indicators:
- Unexpected executor service requests from unauthorized clients
- Increased network traffic to executor service endpoints
SIEM Query:
source="hazelcast" AND (event="executor_service" OR event="task_execution") AND user NOT IN [authorized_users]