====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN485
_____________________________________________________________________

DATE                : 01/09/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Cassandra versions prior to
                         2.1.22, 2.2.18, 3.0.22, 3.11.8, 4.0-beta2.

=====================================================================
http://mail-archives.apache.org/mod_mbox/cassandra-user/202008.mbox/%3cCAAafH9QFUn9+sqmWs_i6XsBJdw+kPau5WePkUa_5tLfA908k-g@mail.gmail.com%3e
_____________________________________________________________________

Versions Affected:
All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2

Description:
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77;
Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to
affect confidentiality, integrity, and availability via vectors
related to JMX.   By default Cassandra only binds JMX locally.

Mitigation:
2.1.x users should upgrade to 2.1.22
2.2.x users should upgrade to 2.2.18
3.0.x users should upgrade to 3.0.22
3.11.x users should upgrade to 3.11.8
4.0-beta1 users should upgrade to 4.0-beta2

Alternatively, users can upgrade their JVM to versions after those in
the description.



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================