Red Hat Bugzilla – Bug 1208181
CVE-2015-0225 Cassandra: remote code execution via unauthenticated JMX/RMI interface
Last modified: 2015-11-12 11:54 EST
It was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces. A remote attacker able to access the RMI, an API for the transport and remote execution of serialized Java, could use this flaw to execute arbitrary code as the user running Cassandra. This issue is fixed in versions 2.0.14 and 2.1.4 of Cassandra. The 1.2.x version of Cassandra no longer receives updates. This issue can be mitigated by manually configuring encryption and authentication for JMX as documented at https://wiki.apache.org/cassandra/JmxSecurity . Upstream announcement: http://seclists.org/oss-sec/2015/q2/5
We have reproduced this issue on JON 3.3
Upstream Fix: https://github.com/apache/cassandra/commit/2433068c157cd21d4217c98ec5c0b9a2c07e288d
I have made the changes to cassandra-jvm.properties and also to cassandra.bat. https://github.com/jsanda/rhq/commit/f62c598fd80c7e39f1a2885d689add31d7267f8f Once we have the new Cassandra artifacts published, I will merge the RHQ changes into master and then into the release/jon3.3.x branch.
The following commits have been pushed to the release/jon3.3.x branch, 371b7bb9 2a9690e5 29c63808 d78f5f94 3f8ce8fa 8d139b1a 84350375 e8806bc0
We aim to fix this issue in the next version of JON, 3.3.4. In the meantime there is mitigation advise found here: https://access.redhat.com/node/1543983/
This issue has been addressed in the following products: Via RHSA-2015:1947 https://rhn.redhat.com/errata/RHSA-2015-1947.html
Created attachment 1093412 [details] Cassandra rebuild details if needed later. Beaker details: HOSTNAME=kvm-guest-02.rhts.eng.bos.redhat.com JOBID=1061651 RECIPEID=2169550 RESULT_SERVER=127.0.0.1:7088 DISTRO=RHEL-6.7-20150710.n.0 ARCHITECTURE=x86_64