[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-37021: Apache Geode deserialization of untrusted data flaw when using JMX ov
From: Kirk Lund <klund () apache ! org>
Date: 2022-08-30 16:40:52
Message-ID: fc373d19-9e46-80b5-fc19-c9aeed275c91 () apache ! org
[Download RAW message or body]
Severity: high - possible RCE
Description:
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a \
deserialization of untrusted data flaw when using JMX over RMI on Java 8.
Any user still on Java 8 who wishes to protect against deserialization attacks \
involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11.
If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and \
specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or \
Servers. Follow the documentation for details on specifying any user classes that may \
be serialized/deserialized with the "serializable-object-filter" configuration \
option. Using a global serial filter will impact performance.
This issue is being tracked as GEODE-9758
Mitigation:
Disable affected services such as JMX over RMI unless they are required. JMX over RMI \
can be disabled by setting Geode property `jmx-manager` to false; this property \
defaults to false on Servers and true on Locators.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic