CVE-2022-37022

EPSS 0.24%
Published 31.08.2022 07:15:07
Last modified 21.11.2024 07:14:18
Source security@apache.org
Teams watchlist Login
Open Login

Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over RMI against deserialization attacks. This should have no impact on performance since it only affects JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Geode Version <= 1.12.2

Apache ≫ Geode Version >= 1.13.0 <= 1.13.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.24%	0.475

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

https://lists.apache.org/thread/kr1y4l9752g1ww1shnmh8dbfjq785k4m

Vendor Advisory

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-37022

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-37022

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-37022

EUVD