It was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces. A remote attacker able to access the RMI, an API for the transport and remote execution of serialized Java, could use this flaw to execute arbitrary code as the user running Cassandra.
This issue is fixed in versions 2.0.14 and 2.1.4 of Cassandra. The 1.2.x version of Cassandra no longer receives updates.
This issue can be mitigated by manually configuring encryption and authentication for JMX as documented at https://wiki.apache.org/cassandra/JmxSecurity .
We have reproduced this issue on JON 3.3
I have made the changes to cassandra-jvm.properties and also to cassandra.bat.
Once we have the new Cassandra artifacts published, I will merge the RHQ changes into master and then into the release/jon3.3.x branch.
The following commits have been pushed to the release/jon3.3.x branch,
We aim to fix this issue in the next version of JON, 3.3.4. In the meantime there is mitigation advise found here:
This issue has been addressed in the following products:
Via RHSA-2015:1947 https://rhn.redhat.com/errata/RHSA-2015-1947.html
Created attachment 1093412 [details]
Cassandra rebuild details if needed later.