CVE-2020-13946: Apache Cassandra RMI Rebind Vulnerability Alert

On September 1, 2020, Apache officially released a risk notice for the Apache Cassandra RMI rebind vulnerability. The vulnerability number is CVE-2020-13946, the vulnerability level is medium, and the vulnerability score is 6.8.

The Apache Cassandra database is the right choice when you need scalability and high availability without compromising performance. Linear scalability and proven fault-tolerance on commodity hardware or cloud infrastructure make it the perfect platform for mission-critical data. Cassandra’s support for replicating across multiple datacenters is best-in-class, providing lower latency for your users and the peace of mind of knowing that you can survive regional outages.

CVE-2020-13946

In Apache Cassandra, a local attacker who does not have permission to access the Apache Cassandra process or configuration file can operate the RMI registry to perform a man-in-the-middle attack and obtain the username and password used to access the JMX interface. Then the attacker can use these credentials to access the JMX interface and perform unauthorized operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Affected version

  • Apache Cassandra 2.1.x: <2.1.22
  • Apache Cassandra 2.2.x: <2.2.18
  • Apache Cassandra 3.0.x: <3.0.22
  • Apache Cassandra 3.11.x: <3.11.8
  • Apache Cassandra 4.0-beta1: <4.0-beta2

Unaffected version

  • Apache Cassandra 2.1.22
  • Apache Cassandra 2.2.18
  • Apache Cassandra 3.0.22
  • Apache Cassandra 3.11.8
  • Apache Cassandra <4.0-beta2

Solution

In this regard, we recommend that users upgrade Apache Cassandra to the latest version in time.