This vulnerability is only exposed if someone can access your JMX port.  If you 
lock down access to JMX ports then you can avoid it.

-Jeremiah

> On Sep 2, 2020, at 3:36 AM, Sam Tunnicliffe <s...@beobal.com> wrote:
> 
> Hi Manish,
> 
> unfortunately I'm afraid, as far as I'm aware there is not.
> 
> Thanks,
> Sam
> 
>> On 2 Sep 2020, at 04:14, manish khandelwal <manishkhandelwa...@gmail.com 
>> <mailto:manishkhandelwa...@gmail.com>> wrote:
>> 
>> Hi Sam
>> 
>> Is there any alternative to avoid this vulnerability? Like upgrade to 
>> specific JVM version.
>> 
>> Regards
>> Manish
>> 
>> On Tue, Sep 1, 2020 at 8:03 PM Sam Tunnicliffe <s...@beobal.com 
>> <mailto:s...@beobal.com>> wrote:
>> CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability
>> 
>> Versions Affected:
>> All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2
>> 
>> Description:
>> It is possible for a local attacker without access to the Apache Cassandra 
>> process or configuration files to manipulate the RMI registry to perform a 
>> man-in-the-middle attack and capture user names and passwords used to access 
>> the JMX interface. The attacker can then use these credentials to access the 
>> JMX interface and perform unauthorised operations.
>> Users should also be aware of CVE-2019-2684, a JRE vulnerability that 
>> enables this issue to be exploited remotely.
>> 
>> Mitigation:
>> 2.1.x users should upgrade to 2.1.22
>> 2.2.x users should upgrade to 2.2.18
>> 3.0.x users should upgrade to 3.0.22
>> 3.11.x users should upgrade to 3.11.8
>> 4.0-beta1 users should upgrade to 4.0-beta2
>> 
>> 
> 

Reply via email to