Hi Sam Is there any alternative to avoid this vulnerability? Like upgrade to specific JVM version.
Regards Manish On Tue, Sep 1, 2020 at 8:03 PM Sam Tunnicliffe <s...@beobal.com> wrote: > CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability > > Versions Affected: > All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2 > > Description: > It is possible for a local attacker without access to the Apache Cassandra > process or configuration files to manipulate the RMI registry to perform a > man-in-the-middle attack and capture user names and passwords used to > access the JMX interface. The attacker can then use these credentials to > access the JMX interface and perform unauthorised operations. > Users should also be aware of CVE-2019-2684, a JRE vulnerability that > enables this issue to be exploited remotely. > > Mitigation: > 2.1.x users should upgrade to 2.1.22 > 2.2.x users should upgrade to 2.2.18 > 3.0.x users should upgrade to 3.0.22 > 3.11.x users should upgrade to 3.11.8 > 4.0-beta1 users should upgrade to 4.0-beta2 > > >
