CVE-2015-0225 JBoss Operations Network (JON) Mitigation for JMX Cassandra Remote Code Invocation vulnerability
Issue Summary
On JBoss Operations Network (ON) storage node versions prior to 3.3.4, it was found that Apache Cassandra bound an unauthenticated JMX/RMI interface to all network interfaces.
A remote attacker able to access the Remote Method Invocation API (used for the transport and remote execution of serialized Java) could use this flaw to execute arbitrary code as the user running Cassandra.
Remediation
Upgrade to version 3.3.4 of JBoss ON is recommended to fix this issue. If you cannot upgrade the follow mitigation steps are offered as an alternative:
To mitigate the vulnerability move any network interfaces on servers running JBoss ON storage nodes from an unsecured zone into a secured zone to restrict access to internal networks only.
This will prevent an attacker from accessing the network interface from outside the organization, and prevent the issue from occurring.
RHEL 7
Run the following commands in the order specified to secure the network interfaces.
- Check the status of the network on the server running the JBoss ON storage node.
$ nmcli dev status
em1 ethernet connected Boot Disk
wlp3s0 wifi connected Wi-Fi_Access_Point
lo loopback unmanaged --
The ethernet
device name may differ on your system. Replace this value with your device name when running subsequent commands.
- Verify the name of the zone attached to the interface.
$ firewall-cmd --get-zone-of-interface=em1
RHELWorkstation
- Permanently remove the zone from the public interface
$ firewall-cmd --permanent --zone=RHELWorkstation --remove-interface=em1
success
- Verify the unsecured zone has been removed for this interface.
$ firewall-cmd --get-zone-of-interface=em1
no zone
- Re-add the interface to a secure internal zone.
$ firewall-cmd --permanent --zone=internal --add-interface=em1
- Reload the firewall to load the new firewall rules.
$ sudo firewall-cmd --reload
success
-
Repeat for any other external interfaces, such as
wlp3s0
in this case. -
After securing the ports, open and white list the ports to permit access to safe services, not Cassandra on 7299. Note that 7299 is the default port.1
Reference: RHEL 7 Security Guide
RHEL 6
- Allow packets originating from port 7299 on localhost to skip all other rule checks and continue to their destination. Note that 7299 is the default port, see footnote for more details.
$ iptables -A INPUT -p tcp --dport 7299 -s 127.0.0.1 -j ACCEPT
- Drop any packets not originating from the localhost source.
$ iptables -A INPUT -p tcp --dport 7299 -j DROP
- Save the new rules to iptables.
$ service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
- Reload the iptable to implement the new rules.
~~~
$ service iptables reload
Reference: RHEL 6 Security Guide
-
7299 is the default Cassandra port, but it could be different.
The port is configured pre-install in<RHQ_SERVER_HOME>/bin/rhq-storage.properties
as is defined by the property valuerhq.storage.jmx-port.
By default,
this value is 7299 if not specified.
Post install, the port is configured in<RHQ_SERVER_HOME>/rhq-storage/conf/cassandra-jvm.properties
as is defined by the property valuejmx_port
. ↩︎
Comments