CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability

Versions Affected:
All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2

It is possible for a local attacker without access to the Apache Cassandra 
process or configuration files to manipulate the RMI registry to perform a 
man-in-the-middle attack and capture user names and passwords used to access 
the JMX interface. The attacker can then use these credentials to access the 
JMX interface and perform unauthorised operations.
Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables 
this issue to be exploited remotely.

2.1.x users should upgrade to 2.1.22
2.2.x users should upgrade to 2.2.18
3.0.x users should upgrade to 3.0.22
3.11.x users should upgrade to 3.11.8
4.0-beta1 users should upgrade to 4.0-beta2

Reply via email to