CVE-2022-37022

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-37022

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-37022.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-37022

Aliases

GHSA-qf8g-vpwp-6579

Published

2022-08-31T07:15:07Z

Modified

2024-09-03T04:18:56.609430Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.

References

https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m

Affected packages

Git / github.com/apache/geode

Affected ranges

Type: GIT
Repo: https://github.com/apache/geode
Events: Last affected

5d1803ac03ed3216a78ccf39555a122cd49ff513

Introduced

79de6fd5232e2e0a79faa1e5c03cb0caf9ed514d

Last affected

645d3530f8f6a22432afe27c3381fe318ed59654

Affected versions

rel/v1.*

rel/v1.13.0

rel/v1.13.1

rel/v1.13.2