On JBoss Operations Network (ON) storage node versions prior to 3.3.4, it was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces.
A remote attacker able to access the Remote Method Invocation API (used for the transport and remote execution of serialized Java) could use this flaw to execute arbitrary code as the user running Cassandra.
Upgrade to version 3.3.4 of JBoss ON is recommended to fix this issue. If you cannot upgrade the follow mitigation steps are offered as an alternative:
To mitigate the vulnerability move any network interfaces on servers running JBoss ON storage nodes from an unsecured zone into a secured zone to restrict access to internal networks only.
This will prevent an attacker from accessing the network interface from outside the organization, and prevent the issue from occurring.
Run the following commands in the order specified to secure the network interfaces.
- Check the status of the network on the server running the JBoss ON storage node.
$ nmcli dev status em1 ethernet connected Boot Disk wlp3s0 wifi connected Wi-Fi_Access_Point lo loopback unmanaged --
ethernet device name may differ on your system. Replace this value with your device name when running subsequent commands.
- Verify the name of the zone attached to the interface.
$ firewall-cmd --get-zone-of-interface=em1 RHELWorkstation
- Permanently remove the zone from the public interface
$ firewall-cmd --permanent --zone=RHELWorkstation --remove-interface=em1 success
- Verify the unsecured zone has been removed for this interface.
$ firewall-cmd --get-zone-of-interface=em1 no zone
- Re-add the interface to a secure internal zone.
$ firewall-cmd --permanent --zone=internal --add-interface=em1
- Reload the firewall to load the new firewall rules.
$ sudo firewall-cmd --reload success
Repeat for any other external interfaces, such as
wlp3s0in this case.
After securing the ports, open and white list the ports to permit access to safe services, not Cassandra on 7299. Note that 7299 is the default port.1
Reference: RHEL 7 Security Guide
- Allow packets originating from port 7299 on localhost to skip all other rule checks and continue to their destination. Note that 7299 is the default port, see footnote for more details.
$ iptables -A INPUT -p tcp --dport 7299 -s 127.0.0.1 -j ACCEPT
- Drop any packets not originating from the localhost source.
$ iptables -A INPUT -p tcp --dport 7299 -j DROP
- Save the new rules to iptables.
$ service iptables save iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
- Reload the iptable to implement the new rules.
$ service iptables reload
Reference: RHEL 6 Security Guide
7299 is the default Cassandra port, but it could be different.
The port is configured pre-install in
<RHQ_SERVER_HOME>/bin/rhq-storage.propertiesas is defined by the property value
this value is 7299 if not specified.
Post install, the port is configured in
<RHQ_SERVER_HOME>/rhq-storage/conf/cassandra-jvm.propertiesas is defined by the property value