CVE-2022-37021: Deserialization of Untrusted Data

August 31, 2022 (updated September 7, 2022)

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 is vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify “–J=-Dgeode.enableGlobalSerialFilter=true” when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the “serializable-object-filter” configuration option. Using a global serial filter will impact performance.

References

Detect and mitigate CVE-2022-37021 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →