Remote Code Execution Vulnerability in Apache Geode TcpServer
CVE-2017-15692

9.8CRITICAL

Key Information:

Vendor

Apache

Vendor
CVE Published:
27 February 2018

What is CVE-2017-15692?

An issue exists in Apache Geode prior to version 1.4.0, where the TcpServer in the Geode locator opens a network port that can deserialize potentially unsafe data. If an unprivileged user accesses the Geode locator, they might exploit this flaw to execute arbitrary code remotely, provided that certain classes are available on the classpath. This poses significant security risks, especially in environments where proper access controls are not enforced.

Affected Version(s)

Apache Geode 1.0.0 to 1.3.0

References

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2017-15692 : Remote Code Execution Vulnerability in Apache Geode TcpServer