All Vulnerability Reports

CVE-2019-11286: JMX Credential Deserialization in GemFire


Severity

Critical

Vendor

VMware Tanzu

Description

VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

  • VMware GemFire
    • 9.7 versions prior to 9.7.5
    • 9.8 versions prior to 9.8.5
    • 9.9 versions prior to 9.9.1
  • VMware Tanzu GemFire for VMs
    • 1.8 versions prior to 1.8.2
    • 1.9 versions prior to 1.9.2
    • 1.10 versions prior to 1.10.1

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • VMware GemFire
    • 9.7.5
    • 9.8.5
    • 9.9.1
    • 9.10.0
  • VMware Tanzu GemFire for VMs
    • 1.8.2
    • 1.9.2
    • 1.10.1
    • 1.11.0

Credit

An Trinh

References

History

2020-07-30: Initial vulnerability report published.