CVE-2022-37022

Name of the Vulnerable Software and Affected Versions Apache Geode versions up to 1.12.2 and 1.13.2

Description The issue is related to the deserialization of untrusted data when using JMX over RMI on Java 11, which can allow a remote attacker to execute arbitrary code. This flaw affects the JMX service of the Apache Geode data management platform. To protect against deserialization attacks involving JMX or RMI, users should upgrade to Apache Geode 1.15, which automatically protects JMX over RMI against such attacks when used with Java 11.

Recommendations For Apache Geode versions up to 1.12.2 and 1.13.2, upgrade to Apache Geode 1.15 to protect against deserialization attacks involving JMX or RMI. This upgrade should have no impact on performance, as it only affects JMX/RMI, which is used by Gfsh to communicate with the JMX Manager hosted on a Locator.