CVE-2017-15693 Apache Geode unsafe deserialization of application objects

Severity:  Important

Vendor: The Apache Software Foundation

Versions Affected:  Apache Geode 1.0.0 through 1.3.0

The Geode server stores application objects in serialized form.
Certain cluster operations and API invocations cause these objects to
be deserialized.  An user with DATA:WRITE access to the cluster may be
able to cause remote code execution if certain classes are present on
the classpath.

Users of the affected versions should upgrade to Apache Geode 1.4.0 or
later.  In addition, users should set the flags
validate-serializable-objects and serializable-object-filter.

This issue was reported responsibly to the Apache Geode Security Team
by Man Yue Mo from Semmle.


Reply via email to