CVE-2022-37021/CVE-2022-37022/CVE-2022-37023: Apache Geode RCE flaws
Apache Geode released the latest security bulletin on August 31, which contains three remote code execution vulnerabilities.
Apache Geode pools memory, CPU, network resources, and optionally local disk across multiple processes to manage application objects and behavior. It uses dynamic replication and data partitioning techniques to implement high availability, improved performance, scalability, and fault tolerance. In addition to being a distributed data container, Apache Geode is an in-memory data management system that provides reliable asynchronous event notifications and guaranteed message delivery.
CVE-2022-37021 is the “deserialization of untrusted data flaw when using JMX over RMI on Java 8,” and affects Apache Geode versions up to 1.12.5, 1.13.4, and 1.14.0. The severity is high. The user should upgrade to Apache Geode 1.15 and Java 11. “If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify “–J=-Dgeode.enableGlobalSerialFilter=true” when starting any Locators or Servers,” read the mail archive.
CVE-2022-37022 is the “deserialization of untrusted data flaw when using JMX over RMI on Java 11,” and affects Apache Geode versions up to 1.12.2 and 1.13.2. The severity is high. By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. The user should upgrade to Apache Geode 1.15.
To migrate the CVE-2022-37021 and CVE-2022-37022, you can “disable affected services such as JMX over RMI unless they are required. JMX over RMI can be disabled by setting Geode property `jmx-manager` to false; this property defaults to false on Servers and true on Locators.”
CVE-2022-37023 is the“deserialization of untrusted data flaw when using REST API on Java 8 or Java 11,” and affects Apache Geode versions prior to 1.15.0. The severity is high. The user should upgrade to Apache Geode 1.15 and also enable “validate-serializable-objects=true” and specify any user classes that may be serialized/deserialized with “serializable-object-filter”. Enabling “validate-serializable-objects” may impact performance.