Timeline

Download the advisory here

Apache Cassandra was found to bind an unauthenticated JMX/RMI service on all network interfaces. An adversary with network access may abuse this service and achieve arbitrary remote code execution as the running user.

Description

Apache Cassandra is an open source distributed database management system. Cassandra is designed to handle large amounts of data across many commodity servers with no single point of failure.

Apache Cassandra was found to bind an unauthenticated JMX/RMI service on all network interfaces. An adversary with network access may abuse this service and achieve arbitrary remote code execution as the running user.

Impact

An attacker may achieve arbitrary code execution with the privileges of the user running Cassandra on the remote system.

Cause

The default installation of Apache Cassandra binds an unauthenticated JMX/RMI service on all available network interfaces.

Interim Workaround

This vulnerability can be mitigated by enabling authentication for the JMX/RMI endpoint, reconfiguring the service to bind on localhost or completely disabling the service.

The following lines will enable JMX authentication when added to Cassandra’s startup shell script.

JVM_OPTS=“$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true” JVM_OPTS=“$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password”

Solution

Users of Apache Cassandra 2.0.X should upgrade to version 2.0.14, whilst users of 2.1.X need to upgrade to version 2.1.4.

Technical details

Java Management Extensions (JMX) technology provides a simple and standard way of managing and monitoring resources related to an instance of a Java Virtual Machine (JVM). This is achieved by instrumenting resources with Java objects known as Managed Beans (MBeans) that are registered with an MBean server.

Apache Cassandra was found to bind a JMX/RMI service by default. This service was exposed without authentication and available on all network interfaces.