Remote Code Execution Vulnerability in Apache Geode Server
CVE-2017-15693

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Geode
Vendor: CVE Published:; 27 February 2018

Summary

In Apache Geode versions prior to 1.4.0, the Geode server's handling of application objects in serialized form creates a significant security risk. When certain cluster operations or API invocations occur, these serialized objects are deserialized. A malicious user with DATA:WRITE access can exploit this mechanism to execute arbitrary code on the server if the right classes exist on the classpath, potentially leading to unauthorized control over the affected system.

Affected Version(s)

Apache Geode 1.0.0 to 1.3.0

References

http://www.securityfocus.com/bid/103206

vdb-entryx_refsource_BID

https://lists.apache.org/thread.html/cc3ec1d06062f54fdaa0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 27, 2018
Vulnerability Reserved
Oct 21, 2017