Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8.
Description
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.12.16 | 1.12.16 |
org.apache.geode:geode-coreMaven | >= 1.13.0, < 1.13.5 | 1.13.5 |
org.apache.geode:geode-coreMaven | >= 1.14.0, < 1.14.1 | 1.14.1 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-q4q3-r45f-7gwgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37021ghsaADVISORY
- lists.apache.org/thread/qrvhmytsshsk5xcb68pwccw3y6m8o8nrghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.