CVE-2017-15693
Description
In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode before v1.4.0 deserializes untrusted data, allowing authenticated users with DATA:WRITE access to achieve remote code execution.
Vulnerability
In Apache Geode versions before v1.4.0, the server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized without proper validation. This insecure deserialization flaw exists because Geode did not restrict which classes could be deserialized via Java's ObjectInputStream [1]. The fix introduced in v1.4.0 adds two new properties: serializable-object-filter and validate-serializable-objects to enforce a whitelist/blacklist for serialized objects [2][3].
Exploitation
An attacker must have DATA:WRITE access to the Geode cluster. With that privilege, the attacker can craft a malicious serialized Java object containing a class that performs arbitrary actions during deserialization. When the Geode server performs cluster operations or specific API invocations that trigger deserialization of stored objects, the malicious payload is deserialized [1]. The exploit requires that certain gadget classes (classes that execute commands during deserialization) are present on the Geode server's classpath [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the Geode server. This results in full remote code execution (RCE) with the privileges of the Geode process, leading to complete compromise of confidentiality, integrity, and availability of the server and its data [1].
Mitigation
The vulnerability is fixed in Apache Geode v1.4.0, released on 2017-12-15 [2][3]. Users should upgrade to v1.4.0 or later. For versions prior to the fix, administrators should configure the newly introduced serializable-object-filter and validate-serializable-objects properties to restrict deserialization to a known set of safe classes [3]. There is no workaround for older versions that do not support these properties.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | >= 1.0.0, < 1.4.0 | 1.4.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: 1.0.0 to 1.3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-95m2-p98f-24r5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-15693ghsaADVISORY
- www.securityfocus.com/bid/103206mitrevdb-entryx_refsource_BID
- github.com/apache/geode/pull/1166ghsaWEB
- issues.apache.org/jira/browse/GEODE-3923ghsaWEB
- lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d%40%3Cuser.geode.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3EghsaWEB
News mentions
0No linked articles in our index yet.