Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2AD9917B93 for ; Wed, 1 Apr 2015 13:46:03 +0000 (UTC) Received: (qmail 59259 invoked by uid 500); 1 Apr 2015 13:45:58 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 59220 invoked by uid 500); 1 Apr 2015 13:45:58 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 59200 invoked by uid 99); 1 Apr 2015 13:45:58 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Apr 2015 13:45:58 +0000 X-ASF-Spam-Status: No, hits=0.9 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS,SUBJ_ALL_CAPS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jakers@gmail.com designates 209.85.220.53 as permitted sender) Received: from [209.85.220.53] (HELO mail-pa0-f53.google.com) (209.85.220.53) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 01 Apr 2015 13:45:54 +0000 Received: by pactp5 with SMTP id tp5so52633558pac.1; Wed, 01 Apr 2015 06:44:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:from:date:message-id:subject:to:cc:content-type; bh=OgsgLkzhu9muy+zfapitvNiRNiFUu92B6Gu4knkxboE=; b=ps6d/1+o9CmqWX46kjnJ9aUk54F5yeBQ3A7TcQ3owOf4qv1arYkVVbEvWy56ZlKU07 rpoxv7SjL+x6JrgkCnpjP52fIAH+sDpdWbXlaebILcAvfOyXK81iazBQC5cGRCvqFLkp WKtV7jVRjB75WrgZRrT0yhu9U/xBIBW8OrgzP5NIJq9azqxOdWa6gNOWquEKlREXy4Ve vbKFPdRc7NFu3+1NnwFyctjbPOC18+8qylruijr8TruB/xtwlkGqmgte1ITIutcEPcY4 zZ+OatA2UOWxmhgh1Bl610RRFNOQK8DLc26q8bx8kwWQMMZ1spgQ35PZzu0K79/by3D6 GcFA== X-Received: by 10.68.224.69 with SMTP id ra5mr46182143pbc.161.1427895844113; Wed, 01 Apr 2015 06:44:04 -0700 (PDT) MIME-Version: 1.0 Sender: jakers@gmail.com Received: by 10.66.85.164 with HTTP; Wed, 1 Apr 2015 06:43:43 -0700 (PDT) From: Jake Luciani Date: Wed, 1 Apr 2015 09:43:43 -0400 X-Google-Sender-Auth: w5QZ3Y211wzgnKPNT_ZfEFEFvwo Message-ID: Subject: [SECURITY ANNOUNCEMENT] CVE-2015-0225 To: user , "dev@cassandra.apache.org" Cc: georgi.geshev@mwrinfosecurity.com, security@apache.org, oss-security@lists.openwall.com, bugtraq@securityfocus.com Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org CVE-2015-0225: Apache Cassandra remote execution of arbitrary code Severity: Important Vendor: The Apache Software Foundation Versions Affected: Cassandra 1.2.0 to 1.2.19 Cassandra 2.0.0 to 2.0.13 Cassandra 2.1.0 to 2.1.3 Description: Under its default configuration, Cassandra binds an unauthenticated JMX/RMI interface to all network interfaces. As RMI is an API for the transport and remote execution of serialized Java, anyone with access to this interface can execute arbitrary code as the running user. Mitigation: 1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade to a supported version of Cassandra, or manually configure encryption and authentication of JMX, (seehttps://wiki.apache.org/cassandra/JmxSecurity). 2.0.x users should upgrade to 2.0.14 2.1.x users should upgrade to 2.1.4 Alternately, users of any version not wishing to upgrade can reconfigure JMX/RMI to enable encryption and authentication according to https://wiki.apache.org/cassandra/JmxSecurityor http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html Credit: This issue was discovered by Georgi Geshev of MWR InfoSecurity