CVE-2022-37023 - Vulnerability Details - OpenCVE

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Geode

Configuration 1 [-]

cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-08-31T07:00:16

Updated: 2024-08-03T10:21:32.603Z

Reserved: 2022-07-29T00:00:00

Link: CVE-2022-37023

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-08-31T07:15:07.420

Modified: 2024-11-21T07:14:18.380

Link: CVE-2022-37023

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Java 8 or 11"], "product": "Apache Geode", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.15.0", "status": "affected", "version": "Apache Geode", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance."}], "metrics": [{"other": {"content": {"other": "high - possible RCE"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-31T07:00:16", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11", "workarounds": [{"lang": "en", "value": "Disable affected services such as JMX over RMI or REST APIs unless they are required. REST APIs can be disabled by setting `http-service-port` to zero."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-37023", "STATE": "PUBLIC", "TITLE": "Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Geode", "version": {"version_data": [{"platform": "Java 8 or 11", "version_affected": "<", "version_name": "Apache Geode", "version_value": "1.15.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "high - possible RCE"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj", "refsource": "MISC", "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Disable affected services such as JMX over RMI or REST APIs unless they are required. REST APIs can be disabled by setting `http-service-port` to zero."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T10:21:32.603Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-37023", "datePublished": "2022-08-31T07:00:16", "dateReserved": "2022-07-29T00:00:00", "dateUpdated": "2024-08-03T10:21:32.603Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C0E002C-C0BB-4B86-AF4B-28E90BBF667A", "versionEndExcluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance."}, {"lang": "es", "value": "Apache Geode versiones anteriores a 1.15.0, son vulnerables a un fallo de deserializaci\u00f3n de datos no confiables cuando es usada la API REST en Java versi\u00f3n 8 o Java versi\u00f3n 11. Cualquier usuario que desee protegerse contra los ataques de deserializaci\u00f3n que implican las APIs REST debe actualizar a Apache Geode versi\u00f3n 1.15 y seguir la documentaci\u00f3n para detalles sobre la habilitaci\u00f3n de \"validate-serializable-objects=true\" y especificar cualquier clase de usuario que pueda ser serializada/de serializada con \"serializable-object-filter\". Activar \"validate-serializable-objects\" puede afectar al rendimiento"}], "id": "CVE-2022-37023", "lastModified": "2024-11-21T07:14:18.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-31T07:15:07.420", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}