CVE-2022-37023

Name of the Vulnerable Software and Affected Versions Apache Geode versions prior to 1.15.0

Description The issue is related to the restoration of untrusted data in memory through the REST API interface of the Apache Geode data management platform. This can allow a remote attacker to execute arbitrary code. The vulnerability is associated with the deserialization of untrusted data when using the REST API on Java 8 or Java 11.

Recommendations To protect against deserialization attacks involving REST APIs, upgrade to Apache Geode 1.15.0 and follow the documentation for details on enabling validate-serializable-objects=true and specifying any user classes that may be serialized/deserialized with serializable-object-filter. Note that enabling validate-serializable-objects may impact performance.