[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-37021: Apache Geode deserialization of untrusted data flaw when using JMX ov
From:       Kirk Lund <klund () apache ! org>
Date:       2022-08-30 16:40:52
Message-ID: fc373d19-9e46-80b5-fc19-c9aeed275c91 () apache ! org
[Download RAW message or body]

Severity: high - possible RCE

Description:

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a \
deserialization of untrusted data flaw when using JMX over RMI on Java 8. 

Any user still on Java 8 who wishes to protect against deserialization attacks \
involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. 

If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and \
specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or \
Servers. Follow the documentation for details on specifying any user classes that may \
be serialized/deserialized with the "serializable-object-filter" configuration \
option. Using a global serial filter will impact performance.

This issue is being tracked as GEODE-9758

Mitigation:

Disable affected services such as JMX over RMI unless they are required. JMX over RMI \
can be disabled by setting Geode property `jmx-manager` to false; this property \
defaults to false on Servers and true on Locators. 


[prev in list] [next in list] [prev in thread] [next in thread]