The serial filter is enabled by default on all new installations of Apache Geode. Users who wish to avoid any possible data attack on existing applications may turn off the serial filter by specifying "--J=-Dgeode.enableGlobalSerialFilter=false" when starting Apache Geode. Apache Geode 1.15 and above now supports the new Java 11 language features such as Lambda functions and variable annotations. The new language features can be enabled by specifying "--J=-Djava.compiler=javac11" when starting Apache Geode. Apache Geode versions 1.13.3 and 1.14.0 are vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 9. Any user still on Java 9 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance.
Apache Geode 1.10 and Earlier
The serial filter is enabled by default on all new installations of Apache Geode. Users who wish to avoid any possible data attack on existing applications may turn off the serial filter by specifying "--J=-Dgeode.enableGlobalSerialFilter=false" when starting Apache Geode. Apache Geode 1.10 and earlier now supports the new Java 11 language features such as Lambda functions and variable annotations. The new language features can be enabled by specifying "--J=-Djava.compiler=javac11" when starting Apache Geode.
Other Software Updates
Apache Geode 1.15 and above now supports the new Java 11 language features such as Lambda functions and variable annotations. For a full list of software updates please see the release notes at https://cwiki.apache.org/confluence/display/GEODE/1.15+Release+Notes
Install Apache Geode and Java 11
If you are using Apache Geode and Java 9, upgrade to Apache Geode 1.15 and specify "--J=-Djava.compiler=javac11" when starting any Locators or Servers.
Apache Geode Versioning
Apache Geode version 1.14.0 is vulnerable to a deserialization of untrusted data flaw when using JMX over RMI on Java 9. Any user still on Java 9 who wishes to protect against deserialization attacks involving JMX or RMI should upgrade to Apache Geode 1.15 and Java 11. If upgrading to Java 11 is not possible, then upgrade to Apache Geode 1.15 and specify "--J=-Dgeode.enableGlobalSerialFilter=true" when starting any Locators or Servers. Follow the documentation for details on specifying any user classes that may be serialized/deserialized with the "serializable-object-filter" configuration option. Using a global serial filter will impact performance
Apache Geode version
1.15 and Java 11
The 1.15 release of Apache Geode includes Apache Geode's support for the Java 11 language features, including Lambda functions and variable annotations. This release also enables a "serial filter" by default to avoid deserialization attacks when using JMX over RMI on Java 9, which was introduced in Java 9 in September 2018. The serial filter is enabled by default on all new installations of Apache Geode; however users who wish to avoid any possible data attack on existing applications may turn off the serial filter by specifying "--J=-Dgeode.enableGlobalSerialFilter=false" when starting Apache Geode.
Timeline
Published on: 08/31/2022 07:15:00 UTC
Last modified on: 09/07/2022 00:57:00 UTC