GSD-2022-37021
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-37021",
"description": "Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \"--J=-Dgeode.enableGlobalSerialFilter=true\" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the \"serializable-object-filter\" configuration option. Using a global serial filter will impact performance.",
"id": "GSD-2022-37021"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-37021"
],
"details": "Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \"--J=-Dgeode.enableGlobalSerialFilter=true\" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the \"serializable-object-filter\" configuration option. Using a global serial filter will impact performance.",
"id": "GSD-2022-37021",
"modified": "2023-12-13T01:19:13.289367Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-37021",
"STATE": "PUBLIC",
"TITLE": "Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8. "
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Apache Geode",
"version": {
"version_data": [
{
"platform": "Java 8",
"version_affected": "\u003c=",
"version_name": "Apache Geode",
"version_value": "1.12.5"
},
{
"platform": "Java 8",
"version_affected": "\u003c=",
"version_name": "Apache Geode",
"version_value": "1.13.4"
},
{
"platform": "Java 8",
"version_affected": "\u003c=",
"version_name": "Apache Geode",
"version_value": "1.14.0"
}
]
}
}
]
},
"vendor_name": "Apache Software Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \"--J=-Dgeode.enableGlobalSerialFilter=true\" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the \"serializable-object-filter\" configuration option. Using a global serial filter will impact performance."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": [
{
"other": "high - possible RCE"
}
],
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr",
"refsource": "MISC",
"url": "https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr"
}
]
},
"source": {
"defect": [
"GEODE-9758"
],
"discovery": "UNKNOWN"
},
"work_around": [
{
"lang": "eng",
"value": "Disable affected services such as JMX over RMI unless they are required. JMX over RMI can be disabled by setting Geode property `jmx-manager` to false; this property defaults to false on Servers and true on Locators. "
}
]
},
"gitlab.com": {
"advisories": [
{
"affected_range": "(,1.12.5],[1.13.0,1.13.4],[1.14.0]",
"affected_versions": "All versions up to 1.12.5, all versions starting from 1.13.0 up to 1.13.4, version 1.14.0",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-502",
"CWE-937"
],
"date": "2022-09-07",
"description": "Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 is vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \"--J=-Dgeode.enableGlobalSerialFilter=true\" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the \"serializable-object-filter\" configuration option. Using a global serial filter will impact performance.",
"fixed_versions": [],
"identifier": "CVE-2022-37021",
"identifiers": [
"CVE-2022-37021"
],
"not_impacted": "",
"package_slug": "maven/org.apache.geode/geode-core",
"pubdate": "2022-08-31",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Deserialization of Untrusted Data",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-37021",
"https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr"
],
"uuid": "f335cc5d-634b-4cab-bd90-0523204d246e"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.13.4",
"versionStartIncluding": "1.13.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:geode:1.14.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.12.5",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security@apache.org",
"ID": "CVE-2022-37021"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \"--J=-Dgeode.enableGlobalSerialFilter=true\" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the \"serializable-object-filter\" configuration option. Using a global serial filter will impact performance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "N/A",
"refsource": "CONFIRM",
"tags": [
"Mailing List",
"Vendor Advisory"
],
"url": "https://lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nr"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-09-07T00:57Z",
"publishedDate": "2022-08-31T07:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…