CVE-2022-37022

EPSS 0.24%
Veröffentlicht 31.08.2022 07:15:07
Zuletzt bearbeitet 21.11.2024 07:14:18
Quelle security@apache.org
Teams Watchlist Login
Unerledigt Login

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Geode Version <= 1.12.2

Apache ≫ Geode Version >= 1.13.0 <= 1.13.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.24%	0.475

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-37022

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-37022

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-37022

EUVD