diff options
| author | delphij <delphij@FreeBSD.org> | 2015-05-24 15:29:09 +0800 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2015-05-24 15:29:09 +0800 |
| commit | 3e544be00570aadbcd921afe60dd40116fa60bc7 (patch) | |
| tree | de0e96235726a498fd6331591e7cdb9626a5d347 /security | |
| parent | 9dc15abeb50b4a765447f98cf2738950bf6dc4d7 (diff) | |
| download | freebsd-ports-gnome-3e544be00570aadbcd921afe60dd40116fa60bc7.tar.gz freebsd-ports-gnome-3e544be00570aadbcd921afe60dd40116fa60bc7.tar.zst freebsd-ports-gnome-3e544be00570aadbcd921afe60dd40116fa60bc7.zip | |
Document cassandra remote code execution vulnerability.
PR: 199091
Submitted by: Jason Unovitch <jason unovitch gmail com>
Diffstat (limited to 'security')
| -rw-r--r-- | security/vuxml/vuln.xml | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 88de9385c396..997d559e3389 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -57,6 +57,53 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="607f4d44-0158-11e5-8fda-002590263bf5"> + <topic>cassandra -- remote execution of arbitrary code</topic> + <affects> + <package> + <name>cassandra</name> + <range><ge>1.2.0</ge><le>1.2.19</le></range> + </package> + <package> + <name>cassandra2</name> + <range><ge>2.0.0</ge><lt>2.0.14</lt></range> + <range><ge>2.1.0</ge><lt>2.1.4</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Jake Luciani reports:</p> + <blockquote cite="http://mail-archives.apache.org/mod_mbox/cassandra-dev/201504.mbox/raw/%3CCALamADJu4yo=cO8HgA6NpgFc1wQN_VNqpkMn-3SZwhPq9foLBw@mail.gmail.com%3E/"> + <p>Under its default configuration, Cassandra binds an unauthenticated + JMX/RMI interface to all network interfaces. As RMI is an API for the + transport and remote execution of serialized Java, anyone with access + to this interface can execute arbitrary code as the running user.</p> + <p>Mitigation:</p> + <p>1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade + to a supported version of Cassandra, or manually configure encryption + and authentication of JMX, + (see https://wiki.apache.org/cassandra/JmxSecurity).</p> + <p>2.0.x users should upgrade to 2.0.14</p> + <p>2.1.x users should upgrade to 2.1.4</p> + <p>Alternately, users of any version not wishing to upgrade can + reconfigure JMX/RMI to enable encryption and authentication according + to https://wiki.apache.org/cassandra/JmxSecurityor + http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html</p> + <p>Credit:</p> + <p>This issue was discovered by Georgi Geshev of MWR InfoSecurity</p> + </blockquote> + </body> + </description> + <references> + <url>http://mail-archives.apache.org/mod_mbox/cassandra-dev/201504.mbox/raw/%3CCALamADJu4yo=cO8HgA6NpgFc1wQN_VNqpkMn-3SZwhPq9foLBw@mail.gmail.com%3E/</url> + <cvename>CVE-2015-0225</cvename> + </references> + <dates> + <discovery>2015-04-01</discovery> + <entry>2015-05-24</entry> + </dates> + </vuln> + <vuln vid="865863af-fb5e-11e4-8fda-002590263bf5"> <topic>py-salt -- potential shell injection vulnerabilities</topic> <affects> |