CVE-2022-37023 - OpenCVE

Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling "validate-serializable-objects=true" and specifying any user classes that may be serialized/deserialized with "serializable-object-filter". Enabling "validate-serializable-objects" may impact performance.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Apache	Geode

Configuration 1 [-]

cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*

References

Link	Resource
https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj	Mailing List Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: apache

Published: 2022-08-31T07:00:16

Updated: 2022-08-31T07:00:16

Reserved: 2022-07-29T00:00:00

Link: CVE-2022-37023

JSON object: View

NVD Information

Status : Analyzed

Published: 2022-08-31T07:15:07.420

Modified: 2022-09-06T18:16:49.663

Link: CVE-2022-37023

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"platforms": ["Java 8 or 11"], "product": "Apache Geode", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "1.15.0", "status": "affected", "version": "Apache Geode", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance."}], "metrics": [{"other": {"content": {"other": "high - possible RCE"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-31T07:00:16", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11", "workarounds": [{"lang": "en", "value": "Disable affected services such as JMX over RMI or REST APIs unless they are required. REST APIs can be disabled by setting `http-service-port` to zero."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2022-37023", "STATE": "PUBLIC", "TITLE": "Apache Geode deserialization of untrusted data flaw when using REST API on Java 8 or Java 11"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Geode", "version": {"version_data": [{"platform": "Java 8 or 11", "version_affected": "<", "version_name": "Apache Geode", "version_value": "1.15.0"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "high - possible RCE"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-502 Deserialization of Untrusted Data"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj", "refsource": "MISC", "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}]}, "source": {"discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Disable affected services such as JMX over RMI or REST APIs unless they are required. REST APIs can be disabled by setting `http-service-port` to zero."}]}}}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2022-37023", "datePublished": "2022-08-31T07:00:16", "dateReserved": "2022-07-29T00:00:00", "dateUpdated": "2022-08-31T07:00:16", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:geode:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C0E002C-C0BB-4B86-AF4B-28E90BBF667A", "versionEndExcluding": "1.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1.15 and follow the documentation for details on enabling \"validate-serializable-objects=true\" and specifying any user classes that may be serialized/deserialized with \"serializable-object-filter\". Enabling \"validate-serializable-objects\" may impact performance."}, {"lang": "es", "value": "Apache Geode versiones anteriores a 1.15.0, son vulnerables a un fallo de deserializaci\u00f3n de datos no confiables cuando es usada la API REST en Java versi\u00f3n 8 o Java versi\u00f3n 11. Cualquier usuario que desee protegerse contra los ataques de deserializaci\u00f3n que implican las APIs REST debe actualizar a Apache Geode versi\u00f3n 1.15 y seguir la documentaci\u00f3n para detalles sobre la habilitaci\u00f3n de \"validate-serializable-objects=true\" y especificar cualquier clase de usuario que pueda ser serializada/de serializada con \"serializable-object-filter\". Activar \"validate-serializable-objects\" puede afectar al rendimiento"}], "id": "CVE-2022-37023", "lastModified": "2022-09-06T18:16:49.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-08-31T07:15:07.420", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/6js89pbqrp52zlpwgry5fsdn76gxbbfj"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}