=====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN028
_____________________________________________________________________

DATE                : 02/04/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Cassandra versions 1, 2
                           prior to 2.0.14, 2.1.4.

======================================================================
http://mail-archives.apache.org/mod_mbox/cassandra-dev/201504.mbox/%3CCALamADJu4yo=cO8HgA6NpgFc1wQN_VNqpkMn-3SZwhPq9foLBw@mail.gmail.com%3E
______________________________________________________________________

CVE-2015-0225: Apache Cassandra remote execution of arbitrary code

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Cassandra 1.2.0 to 1.2.19
Cassandra 2.0.0 to 2.0.13
Cassandra 2.1.0 to 2.1.3


Description:
Under its default configuration, Cassandra binds an unauthenticated
JMX/RMI interface to all network interfaces.  As RMI is an API for the
transport and remote execution of serialized Java, anyone with access
to this interface can execute arbitrary code as the running user.


Mitigation:
1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade
to a supported version of Cassandra, or manually configure encryption
and authentication of JMX,
(seehttps://wiki.apache.org/cassandra/JmxSecurity).

2.0.x users should upgrade to 2.0.14
2.1.x users should upgrade to 2.1.4

Alternately, users of any version not wishing to upgrade can
reconfigure JMX/RMI to enable encryption and authentication according
to https://wiki.apache.org/cassandra/JmxSecurity or
http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html


Credit:
This issue was discovered by Georgi Geshev of MWR InfoSecurity


=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================