CVE-2017-15693 — Apache Geode unsafe deserialization of application objects

Description

In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.

How to fix CVE-2017-15693

To remediate CVE-2017-15693, upgrade the affected package to a fixed version below.

—upgrade to 1.4.0 or later

Is CVE-2017-15693 being exploited?

Low — EPSS is 3.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.0.0, < 1.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-15693
WEBgithub.com/apache/geode/pull/1166
WEBissues.apache.org/jira/browse/GEODE-3923
WEBlists.apache.org/thread.html/cc3ec1d06062f54fdaa0357874c1d148fc54bb955f2d2df4ca328a3d@%3Cuser.geode.apache.org%3E