Apache Geode <=1.14 Deserialization via JMX/RMI on Java 8
CVE-2022-37021 Published on August 31, 2022
Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2022-37021 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2022-37021
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-37021 are published in Apache Geode:
Affected Versions
Apache Software Foundation Apache Geode:- Version Apache Geode, <= 1.12.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.