PT-2018-18381 · Apache · Apache Cassandra

Published

2018-06-28

Updated

2022-05-13

CVE-2018-8016

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Apache Cassandra versions 3.8 through 3.11.1

Description: The default configuration of Apache Cassandra binds an unauthenticated JMX/RMI interface to all network interfaces, allowing remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression that was introduced due to a specific change and is resolved in a later release.

Recommendations: For Apache Cassandra versions 3.8 through 3.11.1, update to version 3.11.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the JMX/RMI interface to minimize the risk of exploitation.

Fix

RCE

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2018-8016

GHSA-52GQ-7J6C-XW6X

Affected Products

Apache Cassandra

PT-2018-18381 · Apache · Apache Cassandra

CVE-2018-8016

Weakness Enumeration

Related Identifiers

Affected Products

References · 7