CVE-2023-30601
📋 TL;DR
This vulnerability allows users with JMX access to escalate privileges and execute arbitrary commands as the Apache Cassandra service account when enabling FQL/Audit logs. It affects Apache Cassandra versions 4.0.0-4.0.9 and 4.1.0-4.1.1. Attackers with nodetool/JMX access can gain full control of the Cassandra instance.
💻 Affected Systems
- Apache Cassandra
📦 What is this software?
Cassandra by Apache
Cassandra by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Cassandra instance, allowing execution of arbitrary commands as the Cassandra service user, potentially leading to data theft, data manipulation, or further lateral movement.
Likely Case
Privileged users with JMX access can escalate to execute arbitrary commands, potentially compromising the Cassandra database and underlying system.
If Mitigated
Limited to authorized JMX users only, reducing attack surface but still allowing privilege escalation for those with legitimate access.
🎯 Exploit Status
Exploitation requires JMX/nodetool access. The vulnerability is in the FQL/Audit log enabling functionality.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.10 or 4.1.2
Vendor Advisory: https://lists.apache.org/thread/f74p9jdhmmp7vtrqd8lgm8bq3dhxl8vn
Restart Required: Yes
Instructions:
1. Download Apache Cassandra 4.0.10 or 4.1.2 from official sources. 2. Stop the Cassandra service. 3. Backup configuration and data. 4. Install the new version. 5. Ensure 'allow_nodetool_archive_command' is set to false in configuration. 6. Restart Cassandra service.
🔧 Temporary Workarounds
Restrict JMX Access
allDisable JMX access for non-trusted users to prevent exploitation
Configure cassandra-env.sh to restrict JMX access: -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access -Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password
🧯 If You Can't Patch
- Restrict JMX/nodetool access to trusted administrators only
- Disable FQL/Audit log functionality if not required
🔍 How to Verify
Check if Vulnerable:
Check Cassandra version: 'nodetool version' or 'cassandra -v'. If version is between 4.0.0-4.0.9 or 4.1.0-4.1.1, system is vulnerable.Check Version:
nodetool versionVerify Fix Applied:
Verify version is 4.0.10+ or 4.1.2+ and check cassandra.yaml for 'allow_nodetool_archive_command: false'📡 Detection & Monitoring
Log Indicators:
- Unusual JMX authentication attempts
- Unexpected FQL/Audit log enabling events
- Suspicious command execution in Cassandra logs
Network Indicators:
- Unusual JMX port (7199) connections from unauthorized sources
- Unexpected nodetool commands
SIEM Query:
source="cassandra.log" AND ("JMX" OR "nodetool" OR "FQL" OR "Audit") AND ("enable" OR "command" OR "escalation")