Support Content Notification - Support Portal

CVE-2019-11286: JMX Credential Deserialization in GemFire

Product/Component

Notification Id

23904

Last Updated

30 July 2020

Initial Publication Date

30 July 2020

Status

CLOSED

Severity

CRITICAL

CVSS Base Score

WorkAround

Affected CVE

CVE-2019-11286

Severity

Critical

Vendor

VMware Tanzu

Description

VMware GemFire versions prior to 9.10.0, 9.9.1, 9.8.5, and 9.7.5, and VMware Tanzu GemFire for VMs versions prior to 1.11.0, 1.10.1, 1.9.2, and 1.8.2, contain a JMX service available to the network which does not properly restrict input. A remote authenticated malicious user may request against the service with a crafted set of credentials leading to remote code execution.

Affected VMware Products and Versions

Severity is critical unless otherwise noted.

VMware GemFire
- 9.7 versions prior to 9.7.5
- 9.8 versions prior to 9.8.5
- 9.9 versions prior to 9.9.1
VMware Tanzu GemFire for VMs
- 1.8 versions prior to 1.8.2
- 1.9 versions prior to 1.9.2
- 1.10 versions prior to 1.10.1

Mitigation

VMware GemFire
- 9.7.5
- 9.8.5
- 9.9.1
- 9.10.0
VMware Tanzu GemFire for VMs
- 1.8.2
- 1.9.2
- 1.10.1
- 1.11.0

Credit

An Trinh

References

https://tanzu.vmware.com/security/cve-2019-11286

History

2020-07-30: Initial vulnerability report published.