SCA: security update for org.apache.geode:geode-core (GHSA-qf8g-vpwp-6579)

high Tenable Cloud Security Plugin ID 418088

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Apache Geode versions up to 1.12.2 and 1.13.2 are vulnerable to a deserialization of untrusted data flaw
when using JMX over RMI on Java 11. Any user wishing to protect against deserialization attacks involving
JMX or RMI should upgrade to Apache Geode 1.15. Use of 1.15 on Java 11 will automatically protect JMX over
RMI against deserialization attacks. This should have no impact on performance since it only affects
JMX/RMI which Gfsh uses to communicate with the JMX Manager which is hosted on a Locator. (CVE-2022-37022)

See Also

https://github.com/advisories/GHSA-qf8g-vpwp-6579

Plugin Details

Severity: High

ID: 418088

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.99

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-37022

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/1/2022

Vulnerability Publication Date: 8/31/2022

Reference Information

CVE: CVE-2022-37022

cwe: CWE-502