CVE-2015-0225 JBoss Operations Network (JON) Mitigation for JMX Cassandra Remote Code Invocation vulnerability

Updated -

Issue Summary

On JBoss Operations Network (ON) storage node versions prior to 3.3.4, it was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces.

A remote attacker able to access the Remote Method Invocation API (used for the transport and remote execution of serialized Java) could use this flaw to execute arbitrary code as the user running Cassandra.

Remediation

Upgrade to version 3.3.4 of JBoss ON is recommended to fix this issue. If you cannot upgrade the follow mitigation steps are offered as an alternative:

To mitigate the vulnerability move any network interfaces on servers running JBoss ON storage nodes from an unsecured zone into a secured zone to restrict access to internal networks only.

This will prevent an attacker from accessing the network interface from outside the organization, and prevent the issue from occurring.

RHEL 7

Run the following commands in the order specified to secure the network interfaces.

  1. Check the status of the network on the server running the JBoss ON storage node.
$ nmcli dev status
em1          ethernet  connected  Boot Disk
wlp3s0       wifi      connected  Wi-Fi_Access_Point
lo           loopback  unmanaged  --

The ethernet device name may differ on your system. Replace this value with your device name when running subsequent commands.

  1. Verify the name of the zone attached to the interface.
$ firewall-cmd --get-zone-of-interface=em1
RHELWorkstation
  1. Permanently remove the zone from the public interface
$ firewall-cmd --permanent --zone=RHELWorkstation --remove-interface=em1
success
  1. Verify the unsecured zone has been removed for this interface.
$ firewall-cmd --get-zone-of-interface=em1
no zone
  1. Re-add the interface to a secure internal zone.
$ firewall-cmd --permanent --zone=internal --add-interface=em1
  1. Reload the firewall to load the new firewall rules.
$ sudo firewall-cmd --reload
success

  1. Repeat for any other external interfaces, such as wlp3s0 in this case.

  2. After securing the ports, open and white list the ports to permit access to safe services, not Cassandra on 7299. Note that 7299 is the default port.1

Reference: RHEL 7 Security Guide

RHEL 6

  1. Allow packets originating from port 7299 on localhost to skip all other rule checks and continue to their destination. Note that 7299 is the default port, see footnote for more details.
$ iptables -A INPUT -p tcp --dport 7299 -s 127.0.0.1 -j ACCEPT
  1. Drop any packets not originating from the localhost source.
$ iptables -A INPUT -p tcp --dport 7299 -j DROP
  1. Save the new rules to iptables.
$ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
  1. Reload the iptable to implement the new rules.
    ~~~
    $ service iptables reload

Reference: RHEL 6 Security Guide

  1. 7299 is the default Cassandra port, but it could be different.
    The port is configured pre-install in <RHQ_SERVER_HOME>/bin/rhq-storage.properties as is defined by the property value rhq.storage.jmx-port. By default,
    this value is 7299 if not specified.
    Post install, the port is configured in <RHQ_SERVER_HOME>/rhq-storage/conf/cassandra-jvm.properties as is defined by the property value jmx_port↩︎

Comments