9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-37021

GHSA ID

GHSA-q4q3-r45f-7gwg

EPSS Score

0.61986%

CWE

CWE-502

Published

9/1/2022

Updated

3/10/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-37021

CVE-2022-37021: Apache Geode vulnerable to Deserialization of Untrusted Data

Apache Geode versions up to 1.12.5, 1.13.4 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 8. Any user still on Java 8 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-37021

GHSA ID

GHSA-q4q3-r45f-7gwg

EPSS Score

0.61986%

CWE

CWE-502

Published

9/1/2022

Updated

3/10/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.geode:geode-core	maven	< 1.12.16	1.12.16
org.apache.geode:geode-core	maven	>= 1.13.0, < 1.13.5	1.13.5
org.apache.geode:geode-core	maven	>= 1.14.0, < 1.14.1	1.14.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability involves insecure deserialization via JMX/RMI in Java 8. Key functions include those initializing JMX services (JmxManager.startJmxManager) and handling RMI deserialization (RemoteFilterChain.readObject). These functions likely lacked serialization filters in vulnerable versions, as the patch introduces a system property to enable filtering. The confidence is medium due to inferred code behavior from vulnerability descriptions and Java RMI/JMX patterns, though exact patch details are unavailable.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** **o** v*rsions up to *.**.*, *.**.* *n* *.**.* *r* vuln*r**l* to * **s*ri*liz*tion o* untrust** **t* *l*w w**n usin* JMX ov*r RMI on J*v* *. *ny us*r still on J*v* * w*o wis**s to prot**t ***inst **s*ri*liz*tion *tt**ks involvin* JMX or RMI s*

Reasoning

T** vuln*r**ility involv*s ins**ur* **s*ri*liz*tion vi* JMX/RMI in J*v* *. K*y *un*tions in*lu** t*os* initi*lizin* JMX s*rvi**s (JmxM*n***r.st*rtJmxM*n***r) *n* **n*lin* RMI **s*ri*liz*tion (R*mot**ilt*r***in.r***O*j**t). T**s* *un*tions lik*ly l**k

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-37021: Apache Geode vulnerable to Deserialization of Untrusted Data

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI