CVE-2022-37021

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2022-37021

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37021.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-37021

Aliases

GHSA-q4q3-r45f-7gwg

Published

2022-08-31T07:15:07.227Z

Modified

2026-02-11T13:26:58.757335Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.

References

Affected packages

Git / github.com/apache/geode

Affected ranges

Type: GIT
Repo: https://github.com/apache/geode
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

227ce9c313e77269cf481294d0c512c7edb79b68

Introduced

79de6fd5232e2e0a79faa1e5c03cb0caf9ed514d

Last affected

4984b0434dde8e065d5392f5818239e9041c72b2

Affected versions

rel/v1.*

rel/v1.13.0

rel/v1.13.1

rel/v1.13.2

rel/v1.13.3

rel/v1.13.4

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37021.json"