CVE-2022-24289: 
Java vulnerability analysis and mitigation

Hessian serialization is a network protocol that supports object-based transmission in Apache Cayenne's Remote Object Persistence (ROP) feature. CVE-2022-24289 affects Apache Cayenne 4.1 and earlier versions when running on non-current patch versions of Java. The vulnerability was disclosed on February 11, 2022, and impacts the optional ROP feature which provides object persistence and query functionality to remote applications (OSS Security, NVD).

The vulnerability exists in the Hessian deserialization component of Apache Cayenne's ROP feature. When running on older, unpatched Java versions, the system does not properly validate deserialized data from remote clients. This vulnerability has a CVSS score of 6.5, indicating moderate severity (NVD).

An attacker with client access to Cayenne ROP can transmit malicious payloads to vulnerable third-party dependencies on the server, potentially resulting in arbitrary code execution (OSS Security).

There are two mitigation options available: 1) Upgrade to Apache Cayenne 4.2 or later, which has whitelisting enabled by default for Hessian deserialization, or 2) Upgrade Java to versions that include LDAP mitigation (versions after 6u211, 7u201, 8u191, and 11.0.1). In the newer Java versions, the com.sun.jndi.ldap.object.trustURLCodebase system property is set to false by default to prevent JNDI from loading remote code through LDAP (OSS Security).