Bug 1595650 (CVE-2018-8016)

Summary: CVE-2018-8016 cassandra: Unauthenticated JMX/RMI interface bound to all network interfaces (Regression of CVE-2015-0225)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: krathod, loleary, spinder, theute, tomm.momi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cassandra 3.11.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:30:49 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1595651, 1597437    
Bug Blocks: 1595652    

Description Andrej Nemec 2018-06-27 09:19:50 UTC
It was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces. A remote attacker able to access the RMI, an API for the transport and remote execution of serialized Java, could use this flaw to execute arbitrary code as the user running Cassandra.

This issue is a regression of the previously disclosed CVE-2015-0225.

References:

http://seclists.org/oss-sec/2018/q2/234

Introduced in:

https://issues.apache.org/jira/browse/CASSANDRA-12109

Patched in:

https://issues.apache.org/jira/browse/CASSANDRA-14173

Comment 1 Andrej Nemec 2018-06-27 09:20:10 UTC
Created cassandra tracking bugs for this issue:

Affects: fedora-all [bug 1595651]