CVE-2024-27137 - Apache Cassandra Man-in-the-Middle JMX Interface Exploit (Java 11)

Apache Cassandra, a widely used open-source distributed database management system, is found to have a man-in-the-middle vulnerability. This security flaw, registered as CVE-2024-27137, is similar to the vulnerability reported in CVE-202-13946. It allows local attackers without access to the Apache Cassandra process or its configuration files to manipulate the RMI registry and capture usernames and passwords used in the JMX interface. With these credentials, attackers can exploit the JMX interface to perform unauthorized operations. The following post expands on this vulnerability, its potential effects, and the steps to mitigate it.

Affected Versions

This vulnerability affects Apache Cassandra versions ranging from 4..2 to 5..2 running Java 11.

A code snippet illustrating how the attacker can manipulate the RMI registry is shown below

import java.rmi.*;
import java.rmi.registry.*;

public class RMIExploit {
    public static void main(String[] args) {
        try {
            Registry registry = LocateRegistry.getRegistry("localhost");
            registry.bind("jmxrmi", new RMIExploitHandler());
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}

Exploit Details

The vulnerability leverages Java's RMI registry to perform the man-in-the-middle attack. The attacker can capture JMX interface credentials by:

Setting up a rogue RMI registry on the same host where Apache Cassandra is running.

2. Connecting to the original RMI registry and capturing any communication, including sensitive data like usernames and passwords, between the JMX interface and the Apache Cassandra process.

Since the Java option changed in JDK10, the mitigation method proposed for CVE-202-13946 does not apply in this scenario.

Mitigation Actions

To mitigate this vulnerability, it's strongly advised to upgrade to Apache Cassandra releases 4..15, 4.1.8, or 5..3 or later, which includes the fix for this issue. If upgrading is not immediately possible, further security measures should be taken to control access to the affected systems.

For further information regarding this vulnerability, please consult the following references

1. Apache Cassandra Security Advisory
2. CVE-202-13946 - National Vulnerability Database (NVD)
3. A Comprehensive Guide to Apache Cassandra

Conclusion

The vulnerability CVE-2024-27137 in Apache Cassandra exposes a potential risk for unauthorized access to sensitive information and manipulation of the JMX interface. It's crucial for operators to upgrade their systems to the recommended versions and ensure proper security controls to prevent or minimize the possible impact. Stay vigilant and keep your systems up to date to protect your valuable data from threats like this one.

Timeline

Published on: 02/04/2025 11:15:08 UTC
Last modified on: 02/15/2025 01:15:10 UTC