Lucene search

GitHub Advisory DatabaseGHSA-72X9-48MC-PHH6

HistorySep 01, 2022 - 12:00 a.m.

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data

2022-09-0100:00:26

CWE-502

GitHub Advisory Database

github.com

apache geode

untrusted data deserialization

rest api

java 8

java 11

security update

serialization

performance impact

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.8%

JSON

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling “validate-serializable-objects=true” and specifying any user classes that may be serialized/deserialized with “serializable-object-filter”. Enabling “validate-serializable-objects” may impact performance.

Affected configurations

Vulners

Node

org.apache.geodegeode-coreRange<1.15.0

VendorProductVersionCPE
org.apache.geodegeode-core*cpe:2.3:a:org.apache.geode:geode-core:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
org.apache.geode	geode-core	*	cpe:2.3:a:org.apache.geode:geode-core::::::::

References

github.com/advisories/GHSA-72x9-48mc-phh6

lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj

nvd.nist.gov/vuln/detail/CVE-2022-37023

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

48.8%

JSON

Related for GHSA-72X9-48MC-PHH6