CWE
306
Advisory Published
Advisory Published
Updated

CVE-2018-8016

First published: Mon Jun 25 2018(Updated: )

The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.

Credit: security@apache.org security@apache.org

Affected SoftwareAffected VersionHow to fix
Apache Cassandra>=3.8<=3.11.1
maven/org.apache.cassandra:cassandra-all>=3.8<=3.11.1
3.11.2

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the vulnerability ID for this Apache Cassandra vulnerability?

    The vulnerability ID for this Apache Cassandra vulnerability is CVE-2018-8016.

  • What is the severity of CVE-2018-8016?

    The severity of CVE-2018-8016 is critical with a CVSS score of 9.8.

  • What is the affected software for CVE-2018-8016?

    The affected software for CVE-2018-8016 is Apache Cassandra versions 3.8 through 3.11.1.

  • How does CVE-2018-8016 allow remote attackers to execute arbitrary Java code?

    CVE-2018-8016 allows remote attackers to execute arbitrary Java code by exploiting the unauthenticated JMX/RMI interface bound to all network interfaces.

  • Is there a fix available for CVE-2018-8016?

    Yes, a fix is available for CVE-2018-8016. It is recommended to upgrade to a version of Apache Cassandra that is not affected by this vulnerability.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203