This vulnerability is only exposed if someone can access your JMX port. If you lock down access to JMX ports then you can avoid it.
-Jeremiah > On Sep 2, 2020, at 3:36 AM, Sam Tunnicliffe <s...@beobal.com> wrote: > > Hi Manish, > > unfortunately I'm afraid, as far as I'm aware there is not. > > Thanks, > Sam > >> On 2 Sep 2020, at 04:14, manish khandelwal <manishkhandelwa...@gmail.com >> <mailto:manishkhandelwa...@gmail.com>> wrote: >> >> Hi Sam >> >> Is there any alternative to avoid this vulnerability? Like upgrade to >> specific JVM version. >> >> Regards >> Manish >> >> On Tue, Sep 1, 2020 at 8:03 PM Sam Tunnicliffe <s...@beobal.com >> <mailto:s...@beobal.com>> wrote: >> CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability >> >> Versions Affected: >> All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2 >> >> Description: >> It is possible for a local attacker without access to the Apache Cassandra >> process or configuration files to manipulate the RMI registry to perform a >> man-in-the-middle attack and capture user names and passwords used to access >> the JMX interface. The attacker can then use these credentials to access the >> JMX interface and perform unauthorised operations. >> Users should also be aware of CVE-2019-2684, a JRE vulnerability that >> enables this issue to be exploited remotely. >> >> Mitigation: >> 2.1.x users should upgrade to 2.1.22 >> 2.2.x users should upgrade to 2.2.18 >> 3.0.x users should upgrade to 3.0.22 >> 3.11.x users should upgrade to 3.11.8 >> 4.0-beta1 users should upgrade to 4.0-beta2 >> >> >