Man-in-the-middle attack in Apache Cassandra
Moderate severity
GitHub Reviewed
Published
May 7, 2021
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Package
Affected versions
>= 2.1.0, < 2.1.12
>= 2.2.0, < 2.2.18
>= 3.0.0, < 3.0.22
>= 3.11.0, < 3.11.8
= 4.0-beta1
Patched versions
2.1.12
2.2.18
3.0.22
3.11.8
4.0-beta2
Description
Published by the National Vulnerability Database
Sep 1, 2020
Reviewed
May 5, 2021
Published to the GitHub Advisory Database
May 7, 2021
Last updated
Feb 1, 2023
In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.
References