Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.
{ "vanir_signatures": [ { "id": "CVE-2022-37023-809662cb", "signature_type": "Line", "target": { "file": "geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxyTest.java" }, "digest": { "line_hashes": [ "271565698906081870400169871511662208430", "176187584659808302530788165325360213355", "134880645845953282268972577247585880031", "53295455689425563555996461759800583693", "70083092266538896607488590401427580807", "289021059350922040194240575560381792757", "10829721629913145967682247146006937839", "305238111899125501357639011755052031703", "93335574219089873899986001117433296606", "314749251526121229644009105875443066679", "164254472352684605065835893787591616778", "310113726972266865595363195125320584944", "329861190717333577342179465029766201288", "7284826531753941901750520790015254528", "69758159662841269769156527668657038799", "114393473920070319626796743782660078873", "116252813271263944326105403300875878227", "275776104964228786121551553639020523464", "268677713687836665472361218880504497278", "291620291836338604326870964666082246575", "304876704896918746566785673531662587337", "892111163148490529540875392021719412", "284626310180379447834987912419466098288" ], "threshold": 0.9 }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9" }, { "id": "CVE-2022-37023-84bd298c", "signature_type": "Line", "target": { "file": "geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java" }, "digest": { "line_hashes": [ "279118738397569944925485559297762383710", "65322130819880844940466556451331768114", "277682453534267293812759125465126622376", "301472015557760709901877389848514072764", "319421240591323641868920876121877197410", "238359394992625475952054164253364297180", "4410955819757281567268618184541616251", "223043664404684175555379802953565586640" ], "threshold": 0.9 }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9" }, { "id": "CVE-2022-37023-97ffb935", "signature_type": "Function", "target": { "file": "geode-core/src/test/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxyTest.java", "function": "before" }, "digest": { "function_hash": "137852228223487124481135004770762797359", "length": 1321.0 }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9" }, { "id": "CVE-2022-37023-98869495", "signature_type": "Function", "target": { "file": "geode-core/src/main/java/org/apache/geode/internal/cache/tier/sockets/CacheClientProxy.java", "function": "notifyReAuthentication" }, "digest": { "function_hash": "327511076890806405506015692481445654339", "length": 105.0 }, "deprecated": false, "signature_version": "v1", "source": "https://github.com/apache/geode/commit/1869f2c06681bb73de727d2080d76c6215db9fb9" } ] }