[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-37022: Apache Geode deserialization of untrusted data flaw when using JMX ov
From:       Kirk Lund <klund () apache ! org>
Date:       2022-08-30 17:06:53
Message-ID: e1baad62-b4a0-101a-c3bc-366d426e778c () apache ! org
[Download RAW message or body]

Severity: high - possible RCE

Description:

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted \
data flaw when using JMX over RMI on Java 11.

Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade \
to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against \
deserialization attacks. This should have no impact on performance since it only affects \
JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.

This issue is being tracked as GEODE-9064

Mitigation:

Disable affected services such as JMX over RMI unless they are required. JMX over RMI can be \
disabled by setting Geode property `jmx-manager` to false; this property defaults to false on \
Servers and true on Locators. 


[prev in list] [next in list] [prev in thread] [next in thread]