[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-37021: Apache Geode deserialization of untrusted data flaw when using JMX ov
From: Kirk Lund <klund () apache ! org>
Date: 2022-08-30 16:40:52
Message-ID: fc373d19-9e46-80b5-fc19-c9aeed275c91 () apache ! org
[Download RAW message or body]
Severity: high - possible RCE
Description:
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of \
untrusted data flaw when using JMX over RMI on Java 8.
Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or \
RMI should upgrade to Apache Geode 1.15 and Java 11.
If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify \
"--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the \
documentation for details on specifying any user classes that may be serialized/deserialized \
with the "serializable-object-filter" configuration option. Using a global serial filter will \
impact performance.
This issue is being tracked as GEODE-9758
Mitigation:
Disable affected services such as JMX over RMI unless they are required. JMX over RMI can be \
disabled by setting Geode property `jmx-manager` to false; this property defaults to false on \
Servers and true on Locators.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic