[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-37021: Apache Geode deserialization of untrusted data flaw when using JMX ov
From:       Kirk Lund <klund () apache ! org>
Date:       2022-08-30 16:40:52
Message-ID: fc373d19-9e46-80b5-fc19-c9aeed275c91 () apache ! org
[Download RAW message or body]

Severity: high - possible RCE

Description:

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of \
untrusted data flaw when using JMX over RMI on Java 8. 

Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or \
RMI should upgrade to Apache Geode 1.15 and Java 11. 

If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \
"--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the \
documentation for details on specifying any user classes that may be serialized/deserialized \
with the "serializable-object-filter" configuration option. Using a global serial filter will \
impact performance.

This issue is being tracked as GEODE-9758

Mitigation:

Disable affected services such as JMX over RMI unless they are required. JMX over RMI can be \
disabled by setting Geode property `jmx-manager` to false; this property defaults to false on \
Servers and true on Locators. 


[prev in list] [next in list] [prev in thread] [next in thread]