JMX Credential Deserialization in GemFire
CVE-2019-11286

9CRITICAL

Key Information:

Vendor: Vmware Tanzu
Status: Vmware Gemfire; Vmware Tanzu Gemfire For Vms
Vendor: CVE Published:; 31 July 2020

🔔 Create Vmware Tanzu Vulnerability Alert

What is CVE-2019-11286?

VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.

Affected Version(s)

VMware GemFire 9.7 < 9.7.5

VMware GemFire 9.8 < 9.8.5

VMware GemFire 9.9 < 9.9.1

References

https://tanzu.vmware.com/security/cve-2019-11286

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

CRITICAL

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 31, 2020
Vulnerability Reserved
Apr 18, 2019