Date: Fri, 23 Feb 2018 14:19:09 -0800 From: Anthony Baker <abaker@...che.org> To: user@...de.apache.org, dev@...de.apache.org, announce@...che.org, asf-security <security@...che.org>, oss-security@...ts.openwall.com, mmo@...mle.com Subject: [SECURITY] CVE-2017-15693 Apache Geode unsafe deserialization of application objects CVE-2017-15693 Apache Geode unsafe deserialization of application objects Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Geode 1.0.0 through 1.3.0 Description: The Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. An user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath. Mitigation: Users of the affected versions should upgrade to Apache Geode 1.4.0 or later. In addition, users should set the flags validate-serializable-objects and serializable-object-filter. Credit: This issue was reported responsibly to the Apache Geode Security Team by Man Yue Mo from Semmle. References:  https://issues.apache.org/jira/browse/GEODE-3923  https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.