FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  452616
Date:      2017-10-21
Time:      23:01:18Z
Committer: cpm

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
607f4d44-0158-11e5-8fda-002590263bf5cassandra -- remote execution of arbitrary code

Jake Luciani reports:

Under its default configuration, Cassandra binds an unauthenticated JMX/RMI interface to all network interfaces. As RMI is an API for the transport and remote execution of serialized Java, anyone with access to this interface can execute arbitrary code as the running user.

Mitigation:

1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade to a supported version of Cassandra, or manually configure encryption and authentication of JMX, (see https://wiki.apache.org/cassandra/JmxSecurity).

2.0.x users should upgrade to 2.0.14

2.1.x users should upgrade to 2.1.4

Alternately, users of any version not wishing to upgrade can reconfigure JMX/RMI to enable encryption and authentication according to https://wiki.apache.org/cassandra/JmxSecurityor http://docs.oracle.com/javase/7/docs/technotes/guides/management/agent.html

Credit:

This issue was discovered by Georgi Geshev of MWR InfoSecurity


Discovery 2015-04-01
Entry 2015-05-24
cassandra
ge 1.2.0 le 1.2.19

cassandra2
ge 2.0.0 lt 2.0.14

ge 2.1.0 lt 2.1.4

http://mail-archives.apache.org/mod_mbox/cassandra-dev/201504.mbox/raw/%3CCALamADJu4yo=cO8HgA6NpgFc1wQN_VNqpkMn-3SZwhPq9foLBw@mail.gmail.com%3E/
CVE-2015-0225