Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 11
Description
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Geode up to 1.13.2 vulnerable to deserialization via JMX over RMI on Java 11; upgrade to 1.15 to fix.
Apache Geode versions up to 1.12.2 and 1.13.2 contain a deserialization of untrusted data vulnerability when using JMX over RMI on Java 11 [1]. The flaw arises from insecure deserialization in the JMX/RMI communication channel, which can be triggered without authentication.
An attacker can exploit this vulnerability by sending crafted serialized data over JMX/RMI to the Geode Locator, which hosts the JMX Manager. Successful exploitation does not require prior authentication, as JMX over RMI on Java 11 is vulnerable to deserialization attacks [1].
Exploitation could lead to remote code execution in the context of the Geode Locator process, potentially compromising the entire cluster. The impact is high, as an attacker could gain full control over the Geode system.
Users should upgrade to Apache Geode 1.15 or later, which automatically protects JMX over RMI against deserialization attacks on Java 11 without performance impact [1]. No workarounds are available for earlier versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.geode:geode-coreMaven | < 1.15.0 | 1.15.0 |
Affected products
2- Apache Software Foundation/Apache Geodev5Range: Apache Geode
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-qf8g-vpwp-6579ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-37022ghsaADVISORY
- lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4mghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.