CVE-2020-13946: Apache Cassandra Info Disclosure Flaw

CVE-2020-13946 Overview

CVE-2020-13946 is a Man-in-the-Middle vulnerability affecting Apache Cassandra that allows attackers to manipulate the RMI registry and capture JMX interface credentials. In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations.

Critical Impact
Successful exploitation enables attackers to intercept JMX authentication credentials and perform unauthorized administrative operations on Apache Cassandra clusters. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Affected Products

Apache Cassandra versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8
Apache Cassandra 4.0.0-alpha1 through 4.0.0-beta1
NetApp OnCommand Insight

Discovery Timeline

September 1, 2020 - CVE-2020-13946 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-13946

Vulnerability Analysis

This vulnerability stems from improper exposure of resources in the JMX (Java Management Extensions) interface used by Apache Cassandra for monitoring and management purposes. The RMI (Remote Method Invocation) registry that facilitates JMX connections can be manipulated by a local attacker to intercept authentication credentials during the JMX connection handshake process.

The attack exploits the trust relationship between Cassandra and its JMX clients. When administrators connect to the JMX interface, they provide credentials that traverse through the RMI registry. An attacker who has positioned themselves to intercept this communication can capture these credentials without requiring direct access to Cassandra's process memory or configuration files.

The vulnerability is particularly concerning because captured credentials can subsequently be reused to gain legitimate administrative access to the Cassandra cluster. This enables a range of malicious activities including data exfiltration, cluster configuration changes, and service disruption.

Root Cause

The root cause is classified as CWE-668 (Exposure of Resource to Wrong Sphere). The vulnerability exists because the RMI registry configuration does not adequately protect credential transmission during JMX authentication. The default JMX configuration in vulnerable versions lacks sufficient safeguards against registry manipulation, allowing attackers to inject themselves into the authentication flow and capture credentials in transit.

Attack Vector

The attack can be executed by a local attacker who has network access to the system running Apache Cassandra. The attacker manipulates the RMI registry to redirect JMX client connections through an attacker-controlled endpoint. When legitimate administrators attempt to connect to the JMX interface, their credentials are captured by the attacker's man-in-the-middle position.

The attack flow typically proceeds as follows:

Attacker gains local network access to the Cassandra host
Attacker manipulates the RMI registry to redirect JMX connections
Administrator initiates JMX connection with credentials
Credentials are intercepted by the attacker's MITM setup
Attacker uses captured credentials for unauthorized JMX access

Note that when combined with CVE-2019-2684 (a JRE vulnerability), this attack can potentially be executed remotely, significantly expanding the threat surface.

Detection Methods for CVE-2020-13946

Indicators of Compromise

Unexpected modifications to RMI registry entries on Cassandra hosts
Unusual JMX connection patterns or failed authentication attempts followed by successful ones from different sources
Network traffic anomalies suggesting MITM positioning around JMX ports (typically 7199)
Unauthorized JMX operations or configuration changes in Cassandra audit logs

Detection Strategies

Monitor for RMI registry manipulation attempts through system call auditing
Implement network traffic analysis to detect potential MITM positioning around JMX communication
Review Cassandra JMX authentication logs for suspicious patterns such as credential reuse from unexpected IP addresses
Deploy endpoint detection to identify unauthorized processes binding to RMI-related ports

Monitoring Recommendations

Enable comprehensive JMX access logging and review logs regularly for unauthorized operations
Implement network segmentation monitoring to detect lateral movement toward Cassandra nodes
Configure alerts for any modifications to Cassandra JMX configuration files
Monitor for new or unexpected listeners on JMX-related network ports

How to Mitigate CVE-2020-13946

Immediate Actions Required

Upgrade Apache Cassandra to versions 2.1.22, 2.2.18, 3.0.22, 3.11.8, or 4.0-beta2 or later
Enable JMX authentication with SSL/TLS to encrypt credential transmission
Restrict network access to JMX ports using firewall rules
Review and rotate JMX credentials that may have been exposed

Patch Information

Apache has released patched versions that address this vulnerability. Organizations should upgrade to the following minimum versions:

For 2.1.x branch: upgrade to 2.1.22 or later
For 2.2.x branch: upgrade to 2.2.18 or later
For 3.0.x branch: upgrade to 3.0.22 or later
For 3.11.x branch: upgrade to 3.11.8 or later
For 4.0 development branch: upgrade to 4.0-beta2 or later

For detailed patch information, refer to the Apache Cassandra Mailing List. NetApp customers should also review the NetApp Security Advisory NTAP-20210521-0005 for OnCommand Insight patching guidance.

Workarounds

Enable SSL/TLS for JMX connections to encrypt all credentials in transit
Bind JMX to localhost only and use SSH tunneling for remote management access
Implement network-level access controls to restrict JMX port access to authorized management hosts only
Consider disabling remote JMX access entirely if not required for operations

bash

# Configuration example - Enable JMX SSL in cassandra-env.sh
# Add the following JVM options to enable SSL for JMX connections:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore_password>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore_password>"

# Restrict JMX to localhost only
JVM_OPTS="$JVM_OPTS -Djava.rmi.server.hostname=127.0.0.1"

CVE-2020-13946 Overview

Critical Impact
Successful exploitation enables attackers to intercept JMX authentication credentials and perform unauthorized administrative operations on Apache Cassandra clusters. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Affected Products

Apache Cassandra versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8
Apache Cassandra 4.0.0-alpha1 through 4.0.0-beta1
NetApp OnCommand Insight

Discovery Timeline

September 1, 2020 - CVE-2020-13946 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2020-13946

Vulnerability Analysis

Root Cause

Attack Vector

The attack flow typically proceeds as follows:

Attacker gains local network access to the Cassandra host
Attacker manipulates the RMI registry to redirect JMX connections
Administrator initiates JMX connection with credentials
Credentials are intercepted by the attacker's MITM setup
Attacker uses captured credentials for unauthorized JMX access

Note that when combined with CVE-2019-2684 (a JRE vulnerability), this attack can potentially be executed remotely, significantly expanding the threat surface.

Detection Methods for CVE-2020-13946

Indicators of Compromise

Unexpected modifications to RMI registry entries on Cassandra hosts
Unusual JMX connection patterns or failed authentication attempts followed by successful ones from different sources
Network traffic anomalies suggesting MITM positioning around JMX ports (typically 7199)
Unauthorized JMX operations or configuration changes in Cassandra audit logs

Detection Strategies

Monitor for RMI registry manipulation attempts through system call auditing
Implement network traffic analysis to detect potential MITM positioning around JMX communication
Review Cassandra JMX authentication logs for suspicious patterns such as credential reuse from unexpected IP addresses
Deploy endpoint detection to identify unauthorized processes binding to RMI-related ports

Monitoring Recommendations

Enable comprehensive JMX access logging and review logs regularly for unauthorized operations
Implement network segmentation monitoring to detect lateral movement toward Cassandra nodes
Configure alerts for any modifications to Cassandra JMX configuration files
Monitor for new or unexpected listeners on JMX-related network ports

How to Mitigate CVE-2020-13946

Immediate Actions Required

Upgrade Apache Cassandra to versions 2.1.22, 2.2.18, 3.0.22, 3.11.8, or 4.0-beta2 or later
Enable JMX authentication with SSL/TLS to encrypt credential transmission
Restrict network access to JMX ports using firewall rules
Review and rotate JMX credentials that may have been exposed

Patch Information

Apache has released patched versions that address this vulnerability. Organizations should upgrade to the following minimum versions:

For 2.1.x branch: upgrade to 2.1.22 or later
For 2.2.x branch: upgrade to 2.2.18 or later
For 3.0.x branch: upgrade to 3.0.22 or later
For 3.11.x branch: upgrade to 3.11.8 or later
For 4.0 development branch: upgrade to 4.0-beta2 or later

Workarounds

Enable SSL/TLS for JMX connections to encrypt all credentials in transit
Bind JMX to localhost only and use SSH tunneling for remote management access
Implement network-level access controls to restrict JMX port access to authorized management hosts only
Consider disabling remote JMX access entirely if not required for operations

bash

# Configuration example - Enable JMX SSL in cassandra-env.sh
# Add the following JVM options to enable SSL for JMX connections:
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore_password>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore.jks"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore_password>"

# Restrict JMX to localhost only
JVM_OPTS="$JVM_OPTS -Djava.rmi.server.hostname=127.0.0.1"

CVE-2020-13946: Apache Cassandra Info Disclosure Flaw

CVE-2020-13946 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-13946

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-13946

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-13946

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2020-13946: Apache Cassandra Info Disclosure Flaw

CVE-2020-13946 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2020-13946

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2020-13946

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2020-13946

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform