The default configuration in Apache Cassandra 3.8 up to and including 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote malicious users to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
apache cassandra |