When an Apache Geode server versions 1.0.0 to 1.4.0 is configured with a security manager, a user with DATA:WRITE privileges is allowed to deploy code by invoking an internal Geode function. This allows remote code execution. Code deployment should be restricted to users with DATA:MANAGE privilege.
References
- https://nvd.nist.gov/vuln/detail/CVE-2017-15695
- https://lists.apache.org/thread.html/dc8875c0b924885a884eba6d5bd7dc3f123411b2d33cffd00e351c99@%3Cuser.geode.apache.org%3E
- https://github.com/apache/geode/pull/1258
- https://cwiki.apache.org/confluence/display/GEODE/Release+Notes#ReleaseNotes-SecurityVulnerabilities
- https://issues.apache.org/jira/browse/GEODE-3974
- https://github.com/advisories/GHSA-jmg4-x4vp-6c6x