CVE-2022-37023

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-37023

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-37023.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2022-37023

Aliases

GHSA-72x9-48mc-phh6

Published

2022-08-31T07:15:07.420Z

Modified

2025-11-14T13:33:09.874224Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.

References

https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj

Affected packages

Git / github.com/apache/geode

Affected ranges

Type: GIT
Repo: https://github.com/apache/geode
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1869f2c06681bb73de727d2080d76c6215db9fb9

Affected versions

Other

develop/highwater

sga2-core

rel/v1.*

rel/v1.0.0-incubating

rel/v1.0.0-incubating.M1

rel/v1.0.0-incubating.M2

rel/v1.0.0-incubating.M3

rel/v1.1.0

rel/v1.1.1

rel/v1.2.0

rel/v1.2.1

rel/v1.3.0

rel/v1.4.0

rel/v1.5.0

rel/v1.6.0

rel/v1.7.0

rel/v1.8.0

rel/v1.9.0

Database specific

vanir_signatures

[
    {
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "271565698906081870400169871511662208430",
                "176187584659808302530788165325360213355",
                "134880645845953282268972577247585880031",
                "53295455689425563555996461759800583693",
                "70083092266538896607488590401427580807",
                "289021059350922040194240575560381792757",
                "10829721629913145967682247146006937839",
                "305238111899125501357639011755052031703",
                "93335574219089873899986001117433296606",
                "314749251526121229644009105875443066679",
                "164254472352684605065835893787591616778",
                "310113726972266865595363195125320584944",
                "329861190717333577342179465029766201288",
                "7284826531753941901750520790015254528",
                "69758159662841269769156527668657038799",
                "114393473920070319626796743782660078873",
                "116252813271263944326105403300875878227",
                "275776104964228786121551553639020523464",
                "268677713687836665472361218880504497278",
                "291620291836338604326870964666082246575",
                "304876704896918746566785673531662587337",
                "892111163148490529540875392021719412",
                "284626310180379447834987912419466098288"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-37023-809662cb",
        "target": {
            "file": "geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxyTest.java"
        },
        "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9"
    },
    {
        "deprecated": false,
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "279118738397569944925485559297762383710",
                "65322130819880844940466556451331768114",
                "277682453534267293812759125465126622376",
                "301472015557760709901877389848514072764",
                "319421240591323641868920876121877197410",
                "238359394992625475952054164253364297180",
                "4410955819757281567268618184541616251",
                "223043664404684175555379802953565586640"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-37023-84bd298c",
        "target": {
            "file": "geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java"
        },
        "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9"
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 1321.0,
            "function_hash": "137852228223487124481135004770762797359"
        },
        "id": "CVE-2022-37023-97ffb935",
        "target": {
            "function": "before",
            "file": "geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxyTest.java"
        },
        "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9"
    },
    {
        "deprecated": false,
        "signature_type": "Function",
        "signature_version": "v1",
        "digest": {
            "length": 105.0,
            "function_hash": "327511076890806405506015692481445654339"
        },
        "id": "CVE-2022-37023-98869495",
        "target": {
            "function": "notifyReAuthentication",
            "file": "geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java"
        },
        "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9"
    }
]