[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-37022: Apache Geode deserialization of untrusted data flaw when using JMX ov
From: Kirk Lund <klund () apache ! org>
Date: 2022-08-30 17:06:53
Message-ID: e1baad62-b4a0-101a-c3bc-366d426e778c () apache ! org
[Download RAW message or body]
Severity: high - possible RCE
Description:
Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted \
data flaw when using JMX over RMI on Java 11.
Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade \
to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against \
deserialization attacks. This should have no impact on performance since it only affects \
JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.
This issue is being tracked as GEODE-9064
Mitigation:
Disable affected services such as JMX over RMI unless they are required. JMX over RMI can be \
disabled by setting Geode property `jmx-manager` to false; this property defaults to false on \
Servers and true on Locators.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic