CVE-2022-37021 – org.apache.geode:geode-core

Package

Manager: maven
Name: org.apache.geode:geode-core
Vulnerable Version: >=0 <1.12.16 || >=1.13.0 <1.13.5 || >=1.14.0 <1.14.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0074 pctl0.72055

Details

Apache Geode vulnerable to Deserialization of Untrusted Data Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.

Metadata

Created: 2022-09-01T00:00:26Z
Modified: 2023-03-10T23:21:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/09/GHSA-q4q3-r45f-7gwg/GHSA-q4q3-r45f-7gwg.json
CWE IDs: ["CWE-502"]
Alternative ID: GHSA-q4q3-r45f-7gwg
Finding: F096
Auto approve: 1