Kirk Lund

**Name of the Vulnerable Software and Affected Versions** Apache Geode versions up to 1.12.2 and 1.13.2 **Description** The issue is related to the deserialization of untrusted data when using JMX over RMI on Java 11, which can allow a remote attacker to execute arbitrary code. This flaw affects the JMX service of the Apache Geode data management platform. To protect against deserialization attacks involving JMX or RMI, users should upgrade to Apache Geode 1.15, which automatically protects JMX over RMI against such attacks when used with Java 11. **Recommendations** For Apache Geode versions up to 1.12.2 and 1.13.2, upgrade to Apache Geode 1.15 to protect against deserialization attacks involving JMX or RMI. This upgrade should have no impact on performance, as it only affects JMX/RMI, which is used by Gfsh to communicate with the JMX Manager hosted on a Locator.

**Name of the Vulnerable Software and Affected Versions** Apache Geode versions prior to 1.15.0 **Description** The issue is related to the restoration of untrusted data in memory through the REST API interface of the Apache Geode data management platform. This can allow a remote attacker to execute arbitrary code. The vulnerability is associated with the deserialization of untrusted data when using the REST API on Java 8 or Java 11. **Recommendations** To protect against deserialization attacks involving REST APIs, upgrade to Apache Geode 1.15.0 and follow the documentation for details on enabling `validate-serializable-objects=true` and specifying any user classes that may be serialized/deserialized with `serializable-object-filter`. Note that enabling `validate-serializable-objects` may impact performance.

**Name of the Vulnerable Software and Affected Versions** Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 **Description** The issue is related to the deserialization of untrusted data when using JMX over RMI on Java 8, which can allow a remote attacker to execute arbitrary code. To protect against deserialization attacks involving JMX or RMI, users should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then users should upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Using a global serial filter will impact performance. **Recommendations** For Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0, upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option.