CVE-2017-15693: Input Validation
First published: Tue Feb 27 2018(Updated: )
In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized. A user with DATA:WRITE access to the cluster may be able to cause remote code execution if certain classes are present on the classpath.
Credit: security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Geode | <1.4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2017-15693?
CVE-2017-15693 is a vulnerability in Apache Geode before v1.4.0 that allows a user with DATA:WRITE access to the cluster to execute remote code if certain classes are present.
How severe is CVE-2017-15693?
CVE-2017-15693 has a severity rating of 7.5 (high).
How does CVE-2017-15693 work?
In Apache Geode before v1.4.0, the Geode server stores application objects in serialized form. Certain cluster operations and API invocations cause these objects to be deserialized, which can be exploited by a user with DATA:WRITE access to the cluster.
Which software versions are affected by CVE-2017-15693?
Apache Geode versions up to, but not including, v1.4.0 are affected by CVE-2017-15693.
How can CVE-2017-15693 be mitigated?
To mitigate CVE-2017-15693, users should upgrade to Apache Geode v1.4.0 or later.
- collector/nvd-index
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/type
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/apache
- canonical/apache geode