CVE-2022-37021

Name of the Vulnerable Software and Affected Versions Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0

Description The issue is related to the deserialization of untrusted data when using JMX over RMI on Java 8, which can allow a remote attacker to execute arbitrary code. To protect against deserialization attacks involving JMX or RMI, users should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then users should upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Using a global serial filter will impact performance.

Recommendations For Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0, upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option.