The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.
References
Configurations
History
07 Nov 2023, 03:01
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2018-06-28 16:29
Updated : 2024-02-28 16:25
NVD link : CVE-2018-8016
Mitre link : CVE-2018-8016
CVE.ORG link : CVE-2018-8016
JSON object : View
Products Affected
apache
- cassandra
CWE
CWE-306
Missing Authentication for Critical Function