CVE-2021-34797 – Apache Geode versions up to 1.12.4 and 1.13.4 f... (How to Fix)

Q: What is the severity of CVE-2021-34797?

CVE-2021-34797 has a CVSS score of 7.5 (HIGH). Apache Geode versions up to 1.12.4 and 1.13.4 fail to properly redact sensitive information in log files when passwords or security properties begin with non-alphanumeric characters and have specific prefixes. This exposes credentials like passwords and SSL keys in logs. Organizations using vulnerable Apache Geode versions with custom password formats are affected.

📋 TL;DR

Apache Geode versions up to 1.12.4 and 1.13.4 fail to properly redact sensitive information in log files when passwords or security properties begin with non-alphanumeric characters and have specific prefixes. This exposes credentials like passwords and SSL keys in logs. Organizations using vulnerable Apache Geode versions with custom password formats are affected.

💻 Affected Systems

Products:

Apache Geode

Versions: Up to 1.12.4 and 1.13.4

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when using passwords or security properties that begin with non-alphanumeric characters (e.g., symbols) and have prefixes 'sysprop-', 'javax.net.ssl', or 'security-'.

📦 What is this software?

Geode by Apache

View all CVEs affecting Geode →

Geode by Apache

View all CVEs affecting Geode →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to log files containing unredacted passwords, SSL keys, or security properties, leading to complete system compromise, data theft, or lateral movement.

🟠

Likely Case

Sensitive credentials appear in log files accessible to administrators or monitoring systems, potentially exposing them to unauthorized personnel or attackers with log access.

🟢

If Mitigated

With proper log file access controls and monitoring, exposure is limited to authorized personnel only, though credential exposure still poses risk.

🌐 Internet-Facing: MEDIUM - If logs are exposed via web interfaces or misconfigured permissions, attackers could access sensitive credentials remotely.

🏢 Internal Only: HIGH - Log files often have broad internal access; exposed credentials could be leveraged by malicious insiders or attackers who breach internal networks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to log files containing the unredacted sensitive information; no authentication bypass or complex attack chain needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.5, 1.13.5, and 1.14.0

Vendor Advisory: https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4

Restart Required: Yes

Instructions:

1. Download and install Apache Geode version 1.12.5, 1.13.5, or 1.14.0 from the official Apache website. 2. Stop all Geode services. 3. Replace the existing installation with the patched version. 4. Restart all Geode services. 5. Verify the update by checking the version.

🔧 Temporary Workarounds

Avoid Non-Alphanumeric Password Prefixes

all

Ensure all passwords and security properties do not begin with non-alphanumeric characters (e.g., avoid symbols at the start) and avoid using the vulnerable prefixes.

Restrict Log File Access

linux

Implement strict file permissions on log directories to limit access to authorized users only.

chmod 600 /path/to/geode/logs/*.log
chown geode:geode /path/to/geode/logs/*.log

🧯 If You Can't Patch

Rotate all passwords and security properties that might have been exposed in logs, especially those with non-alphanumeric starting characters.
Implement centralized log monitoring with alerting for any log entries containing sensitive strings like 'password' or 'ssl'.

🔍 How to Verify

Check if Vulnerable:

Check if using Apache Geode version 1.12.4 or earlier, or 1.13.4 or earlier, and review configuration for passwords/properties starting with non-alphanumeric characters and vulnerable prefixes.

Check Version:

gfsh version

Verify Fix Applied:

After patching, verify the installed version is 1.12.5, 1.13.5, or 1.14.0, and test with a sample password to confirm redaction in logs.

📡 Detection & Monitoring

Log Indicators:

Log entries containing unredacted passwords, SSL keys, or security properties with prefixes 'sysprop-', 'javax.net.ssl', or 'security-', especially if they start with symbols.

Network Indicators:

None specific; detection relies on log analysis.

SIEM Query:

source="apache_geode_logs" AND ("password" OR "ssl" OR "sysprop-" OR "security-") NOT "[REDACTED]"

📊 Metadata

CVE ID: CVE-2021-34797

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: January 4, 2022

Last Updated: November 21, 2024

🔗 References

https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4 Mailing List,Vendor Advisory
https://lists.apache.org/thread/p4l0g49rzzzpn8yt9q9p0xp52h3zmsmk Mailing List,Vendor Advisory
https://lists.apache.org/thread/nq2w9gjzm1cjx1rh6zw41ty39qw7qpx4 Mailing List,Vendor Advisory
https://lists.apache.org/thread/p4l0g49rzzzpn8yt9q9p0xp52h3zmsmk Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34797, you might also want to check these: