CVE-2024-27137
📋 TL;DR
This vulnerability allows a local attacker to perform a man-in-the-middle attack on Apache Cassandra's RMI registry, capturing JMX interface credentials. Attackers can then use these credentials to perform unauthorized operations via JMX. Affects Apache Cassandra 4.0.2 through 5.0.2 running Java 11.
💻 Affected Systems
- Apache Cassandra
📦 What is this software?
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains full JMX access, potentially compromising the entire Cassandra cluster, exfiltrating data, or disrupting operations.
Likely Case
Attacker captures JMX credentials and performs unauthorized monitoring or limited administrative actions.
If Mitigated
With proper network segmentation and authentication controls, impact is limited to credential exposure without successful exploitation.
🎯 Exploit Status
Requires local access to the host; attacker must manipulate RMI registry to intercept credentials
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.0.15, 4.1.8, or 5.0.3
Vendor Advisory: https://lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysm
Restart Required: Yes
Instructions:
1. Backup Cassandra data and configuration. 2. Stop Cassandra service. 3. Upgrade to patched version (4.0.15+, 4.1.8+, or 5.0.3+). 4. Restart Cassandra service. 5. Verify JMX functionality.
🔧 Temporary Workarounds
Disable JMX Remote Access
linuxDisable remote JMX access to prevent credential interception
Edit cassandra-env.sh: unset JVM_OPTS for JMX or set -Dcom.sun.management.jmxremote=false
Use JMX Authentication with SSL
linuxEnable JMX authentication with SSL to protect credentials in transit
Configure cassandra-env.sh with: -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.authenticate=true
🧯 If You Can't Patch
- Restrict local access to Cassandra hosts using strict user permissions and isolation
- Implement network segmentation to limit JMX traffic to trusted management networks only
🔍 How to Verify
Check if Vulnerable:
Check Cassandra version: nodetool version; verify Java version: java -version; if Cassandra 4.0.2-5.0.2 and Java 11, system is vulnerableCheck Version:
nodetool versionVerify Fix Applied:
After upgrade, confirm version is 4.0.15+, 4.1.8+, or 5.0.3+ using nodetool version📡 Detection & Monitoring
Log Indicators:
- Unexpected JMX authentication attempts
- Failed JMX logins from unusual local users
Network Indicators:
- Unusual RMI registry traffic from localhost
- JMX connections from unexpected IPs
SIEM Query:
source="cassandra.log" AND ("JMX" OR "RMI") AND ("failed" OR "unauthorized")