Apache Geode <1.15 Deserialization via JMX/RMI on Java 11
CVE-2022-37022 Published on August 31, 2022
Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2022-37022 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2022-37022
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2022-37022 are published in Apache Geode:
Affected Versions
Apache Software Foundation Apache Geode:- Version Apache Geode, <= 1.12.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.