Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
Description
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode on Java 8 allows JMX/RMI deserialization attacks; upgrade to 1.15 and Java 11 or enable global serial filter.
Vulnerability
CVE-2022-37021 is a deserialization of untrusted data vulnerability in Apache Geode, present in versions up to 1.12.5, 1.13.4, and 1.14.0. The flaw specifically affects the JMX over RMI interface when running on Java 8 [1].
Exploitation
The attack surface is the JMX/RMI endpoint, which accepts serialized objects without proper filtering. An attacker who can reach this interface (generally requiring network access to the Geode cluster's JMX port) can send a malicious serialized object to trigger arbitrary code execution. No authentication is mentioned as a prerequisite in the available references, suggesting the vulnerability may be exploitable by an unauthenticated network attacker [1].
Impact
Successful exploitation allows a remote attacker to execute arbitrary code on the affected Geode server, compromising confidentiality, integrity, and availability of the system.
Mitigation
Apache Geode 1.15 addresses the issue. Users on Java 8 should upgrade to Geode 1.15 and enable the global serial filter with the JVM argument '--J=-Dgeode.enableGlobalSerialFilter=true'. For optimal protection, upgrading to Java 11 is recommended, as the serial filter is then enabled by default. Note that enabling the global serial filter may impact performance [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.12.16 | 1.12.16 |
org.apache.geode:geode-coreMaven | >= 1.13.0, < 1.13.5 | 1.13.5 |
org.apache.geode:geode-coreMaven | >= 1.14.0, < 1.14.1 | 1.14.1 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-q4q3-r45f-7gwgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37021ghsaADVISORY
- lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nrghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.