cbcvebase.
CVE-2018-8016
published 2018-06-28

CVE-2018-8016: The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote…

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
2.29%
81.0th percentile
The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.

Affected

1 ranges
VendorProductVersion rangeFixed in
apachecassandra3.8 – 3.11.1

Detection & IOCsextracted from sources · hover to see the quote

portRMI/JMX (default port 1099/7199)
  • Detect unauthenticated JMX/RMI interface bound to all network interfaces (0.0.0.0) on Cassandra nodes running versions 3.8 through 3.11.1
  • Monitor for LOCAL_JMX=no configuration setting in Cassandra environments, which causes JMX to bind on all interface IPs without authentication enforcement
  • Alert on inbound RMI connections to Cassandra JMX ports from non-localhost sources, as exploitation involves remote execution of serialized Java objects via RMI
  • ·The vulnerability is a regression introduced by CASSANDRA-12109 and fixed in CASSANDRA-14173 (version 3.11.2). Fedora backported the fix to cassandra-3.11.1-2 via a patch.
  • ·The Fedora backport patch is available at the referenced source and was confirmed fixed in cassandra-3.11.1-2 for Fedora releases.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa7.5HIGH
osv7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.