Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11
CVE-2022-37023

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Geode
Vendor: CVE Published:; 31 August 2022

Summary

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.

Affected Version(s)

Apache Geode Java 8 or 11 Apache Geode < 1.15.0

References

https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn7...

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 31, 2022
Vulnerability Reserved
Jul 29, 2022