QID 730608
Date Published: 2022-09-27
QID 730608: Apache Geode deserialization of untrusted data flaw when using JMX over RMI on Java 8 Vulnerability
Apache Geode is a data management platform that provides real-time, consistent access to data-intensive applications throughout widely distributed cloud architectures.
Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8.
Affected Version
Apache Geode up to up to 1.12.5, 1.13.4 and 1.14.0
QID Detection Logic:
This QID will check for the affected Apache Geode server version
TBA
Solution
Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11.
If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
Vendor References
- Apache Geode -
lists.apache.org/thread/9lqq7lly0jr1blp81ooct83gc0o1mft1
CVEs related to QID 730608
Software Advisories
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GEODE | Linux |
lists.apache.org/thread/9lqq7lly0jr1blp81ooct83gc0o1mft1 |