CVE-2017-15692
Description
In Apache Geode before v1.4.0, the TcpServer within the Geode locator opens a network port that deserializes data. If an unprivileged user gains access to the Geode locator, they may be able to cause remote code execution if certain classes are present on the classpath.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode locator's TcpServer in versions before 1.4.0 deserializes untrusted data, allowing unprivileged attackers to achieve remote code execution.
Vulnerability
In Apache Geode versions before v1.4.0, the TcpServer component within the Geode locator opens a network port that performs Java deserialization on incoming data [1]. The deserialization occurs without any filtering of permissible classes, making the locator susceptible to a gadget-chain attack if arbitrary classes are present on the classpath [1][2].
Exploitation
An attacker who can reach the Geode locator's network port (typically a TCP port used for internal cluster communication) can send a maliciously crafted serialized Java object. No authentication or special privileges are required beyond network access to the locator [1]. The attacker must craft a payload that, when deserialized, triggers a chain of method invocations from classes already available on the Geode server's classpath [1].
Impact
Successful exploitation leads to remote code execution (RCE) in the context of the Geode locator process. The attacker can execute arbitrary operating system commands or manipulate the Geode cluster, potentially compromising the entire Apache Geode deployment [1]. Confidentiality, integrity, and availability are all at risk.
Mitigation
The issue has been resolved in Apache Geode v1.4.0 [2]. The fix introduces two new properties—serializable-object-filter and validate-serializable-objects—that allow operators to whitelist or blacklist classes for deserialization [2][3]. Users should upgrade to v1.4.0 or later and configure these properties to restrict deserialization to known safe classes [3]. No known workaround exists for versions prior to the fix.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.4.0 | 1.4.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.0.0 to 1.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-w395-hpq9-7xwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15692ghsaADVISORY
- www.securityfocus.com/bid/103205mitrevdb-entryx_refsource_BID
- github.com/apache/geode/pull/1166ghsaWEB
- issues.apache.org/jira/browse/GEODE-3923ghsaWEB
- lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread/dctjhhjtomnsk625dj90dg4sgm438k0kghsaWEB
News mentions
0No linked articles in our index yet.