[High risk] Apache Cassandra has an unauthorized vulnerability that leads to remote command execution

News 2023-06-12 09:10:03 views: null

Vulnerability description

Apache Cassandra is a distributed Nosql database from the Apache Foundation.

In the affected version of Apache Cassandra, since there is no restriction on users with JMX/nodetool privileges, when the FQL/Audit log is enabled, an attacker with JMX/nodetool privileges can execute arbitrary system commands as cassandra.

Users can mitigate the vulnerability by setting the FQL/Auditlog configuration property allow_nodetool_archive_command to false.

Vulnerability name Apache Cassandra's Privilege Vulnerability Leads to Remote Command Execution
Vulnerability type Improper privilege management
Discovery time 2023/5/30
Vulnerability Breadth Small
MPS number MPS-kaz2-jmpq
CVE number CVE-2023-30601
CNVD number -

Sphere of influence

org.apache.cassandra:cassandra-all@[4.1.0, 4.1.2)

org.apache.cassandra:cassandra-all@[4.0.0, 4.0.10)

Repair plan

Upgrade the component org.apache.cassandra:cassandra-all to version 4.0.10 or later

Upgrade the component org.apache.cassandra:cassandra-all to version 4.1.2 or higher

Set the FQL/Auditlog configuration property allow_nodetool_archive_command to false.

reference link

https://www.oscs1024.com/hd/MPS-kaz2-jmpq

https://nvd.nist.gov/vuln/detail/CVE-2023-30601

https://github.com/apache/cassandra/commit/aafb4d19448f12ce600dc4e84a5b181308825b32

About Murphy Security

Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-key repair.
Open source project: https://github.com/murphysecurity/murphysec/?sf=qbyj

The product can be integrated with various tools in the existing development process at a very low cost, including seamless integration with dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Free code security detection tool: https://www.murphysec.com/?sf=qbyj
Free intelligence subscription: https://www.oscs1024.com/cm/?sf=qbyj

insert image description here

Guess you like

Origin blog.csdn.net/murphysec/article/details/131091973
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com