CVE-2015-0225
Low
Low
Medium
High
Critical
CVSS Score
Vulnerability Description
The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request.
Known Affected Software
38 configuration(s) from 1 vendor(s)
cassandra
Version:
2.0.13
CPE:
cpe:2.3:a:apache:cassandra:2.0.13:*:*:*:*:*:*:*
cassandra
Version:
1.2.5
CPE:
cpe:2.3:a:apache:cassandra:1.2.5:*:*:*:*:*:*:*
cassandra
Version:
2.0.11
CPE:
cpe:2.3:a:apache:cassandra:2.0.11:*:*:*:*:*:*:*
cassandra
Version:
1.2.1
CPE:
cpe:2.3:a:apache:cassandra:1.2.1:*:*:*:*:*:*:*
cassandra
Version:
1.2.13
CPE:
cpe:2.3:a:apache:cassandra:1.2.13:*:*:*:*:*:*:*
cassandra
Version:
2.0.4
CPE:
cpe:2.3:a:apache:cassandra:2.0.4:*:*:*:*:*:*:*
cassandra
Version:
2.0.2
CPE:
cpe:2.3:a:apache:cassandra:2.0.2:*:*:*:*:*:*:*
cassandra
Version:
2.0.8
CPE:
cpe:2.3:a:apache:cassandra:2.0.8:*:*:*:*:*:*:*
cassandra
Version:
1.2.9
CPE:
cpe:2.3:a:apache:cassandra:1.2.9:*:*:*:*:*:*:*
cassandra
Version:
2.1.2
CPE:
cpe:2.3:a:apache:cassandra:2.1.2:*:*:*:*:*:*:*
cassandra
Version:
2.0.0
CPE:
cpe:2.3:a:apache:cassandra:2.0.0:*:*:*:*:*:*:*
cassandra
Version:
1.2.18
CPE:
cpe:2.3:a:apache:cassandra:1.2.18:*:*:*:*:*:*:*
cassandra
Version:
2.0.6
CPE:
cpe:2.3:a:apache:cassandra:2.0.6:*:*:*:*:*:*:*
cassandra
Version:
1.2.16
CPE:
cpe:2.3:a:apache:cassandra:1.2.16:*:*:*:*:*:*:*
cassandra
Version:
2.1.3
CPE:
cpe:2.3:a:apache:cassandra:2.1.3:*:*:*:*:*:*:*
cassandra
Version:
1.2.12
CPE:
cpe:2.3:a:apache:cassandra:1.2.12:*:*:*:*:*:*:*
cassandra
Version:
1.2.8
CPE:
cpe:2.3:a:apache:cassandra:1.2.8:*:*:*:*:*:*:*
cassandra
Version:
2.0.1
CPE:
cpe:2.3:a:apache:cassandra:2.0.1:*:*:*:*:*:*:*
cassandra
Version:
1.2.0
CPE:
cpe:2.3:a:apache:cassandra:1.2.0:*:*:*:*:*:*:*
cassandra
Version:
2.0.7
CPE:
cpe:2.3:a:apache:cassandra:2.0.7:*:*:*:*:*:*:*
cassandra
Version:
1.2.4
CPE:
cpe:2.3:a:apache:cassandra:1.2.4:*:*:*:*:*:*:*
cassandra
Version:
2.1.0
CPE:
cpe:2.3:a:apache:cassandra:2.1.0:*:*:*:*:*:*:*
cassandra
Version:
1.2.7
CPE:
cpe:2.3:a:apache:cassandra:1.2.7:*:*:*:*:*:*:*
cassandra
Version:
1.2.6
CPE:
cpe:2.3:a:apache:cassandra:1.2.6:*:*:*:*:*:*:*
cassandra
Version:
1.2.3
CPE:
cpe:2.3:a:apache:cassandra:1.2.3:*:*:*:*:*:*:*
cassandra
Version:
1.2.2
CPE:
cpe:2.3:a:apache:cassandra:1.2.2:*:*:*:*:*:*:*
cassandra
Version:
1.2.19
CPE:
cpe:2.3:a:apache:cassandra:1.2.19:*:*:*:*:*:*:*
cassandra
Version:
2.0.10
CPE:
cpe:2.3:a:apache:cassandra:2.0.10:*:*:*:*:*:*:*
cassandra
Version:
1.2.14
CPE:
cpe:2.3:a:apache:cassandra:1.2.14:*:*:*:*:*:*:*
cassandra
Version:
1.2.11
CPE:
cpe:2.3:a:apache:cassandra:1.2.11:*:*:*:*:*:*:*
cassandra
Version:
2.0.3
CPE:
cpe:2.3:a:apache:cassandra:2.0.3:*:*:*:*:*:*:*
cassandra
Version:
1.2.15
CPE:
cpe:2.3:a:apache:cassandra:1.2.15:*:*:*:*:*:*:*
cassandra
Version:
2.0.9
CPE:
cpe:2.3:a:apache:cassandra:2.0.9:*:*:*:*:*:*:*
cassandra
Version:
1.2.17
CPE:
cpe:2.3:a:apache:cassandra:1.2.17:*:*:*:*:*:*:*
cassandra
Version:
2.0.5
CPE:
cpe:2.3:a:apache:cassandra:2.0.5:*:*:*:*:*:*:*
cassandra
Version:
2.1.1
CPE:
cpe:2.3:a:apache:cassandra:2.1.1:*:*:*:*:*:*:*
cassandra
Version:
2.0.12
CPE:
cpe:2.3:a:apache:cassandra:2.0.12:*:*:*:*:*:*:*
cassandra
Version:
1.2.10
CPE:
cpe:2.3:a:apache:cassandra:1.2.10:*:*:*:*:*:*:*
This vulnerability affects 38 software configuration(s). Ensure you patch all affected systems.
References & Resources
-
http://packetstormsecurity.com/files/131249/Apache-Cassandra-Remote-Code-Execution.htmlsecalert@redhat.com
-
http://rhn.redhat.com/errata/RHSA-2015-1947.htmlsecalert@redhat.com
-
http://www.mail-archive.com/user%40cassandra.apache.org/msg41819.htmlsecalert@redhat.com
-
http://www.securityfocus.com/archive/1/535154/100/0/threadedsecalert@redhat.com
-
http://www.securityfocus.com/bid/73478secalert@redhat.com
-
http://www.securitytracker.com/id/1034002secalert@redhat.com
-
http://packetstormsecurity.com/files/131249/Apache-Cassandra-Remote-Code-Execution.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://rhn.redhat.com/errata/RHSA-2015-1947.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://www.mail-archive.com/user%40cassandra.apache.org/msg41819.htmlaf854a3a-2127-422b-91ae-364da2661108
-
http://www.securityfocus.com/archive/1/535154/100/0/threadedaf854a3a-2127-422b-91ae-364da2661108
-
http://www.securityfocus.com/bid/73478af854a3a-2127-422b-91ae-364da2661108
-
http://www.securitytracker.com/id/1034002af854a3a-2127-422b-91ae-364da2661108
Severity Details
out of 10.0
Low
Weakness Type (CWE)
CWE-77
Top 25 #9
Improper Neutralization of Special Elements used in a Command ('Command Injection')
- Description
- The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
- Exploit Likelihood
- High
- Typical Severity
- Medium
- OWASP Top 10
- A03:2021-Injection
- Abstraction Level
- Class
Key Information
- Published Date
- April 03, 2015
