Remote Code Execution Vulnerability in Apache Geode TcpServer
CVE-2017-15692

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Geode
Vendor: CVE Published:; 27 February 2018

Summary

An issue exists in Apache Geode prior to version 1.4.0, where the TcpServer in the Geode locator opens a network port that can deserialize potentially unsafe data. If an unprivileged user accesses the Geode locator, they might exploit this flaw to execute arbitrary code remotely, provided that certain classes are available on the classpath. This poses significant security risks, especially in environments where proper access controls are not enforced.

Affected Version(s)

Apache Geode 1.0.0 to 1.3.0

References

http://www.securityfocus.com/bid/103205

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/d0e00f2e147a9e9b13a6...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 27, 2018
Vulnerability Reserved
Oct 21, 2017