Bug 199091 - [databases/cassandra][security] CVE-2015-0225
Summary: [databases/cassandra][security] CVE-2015-0225
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Radim Kolar
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-01 15:45 UTC by Sevan Janiyan
Modified: 2015-12-27 14:36 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (hsn)


Attachments
security/vuxml documentation for Apache Cassandra CVE-2015-0225 (2.50 KB, patch)
2015-05-23 14:55 UTC, Jason Unovitch
no flags Details | Diff
Document FORBIDDEN and DEPRECATED (644 bytes, patch)
2015-05-30 01:37 UTC, Jason Unovitch
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sevan Janiyan 2015-04-01 15:45:17 UTC
remote execution of arbitrary code
http://www.mail-archive.com/user@cassandra.apache.org/msg41819.html
Comment 1 Jason Unovitch freebsd_committer 2015-05-23 14:55:48 UTC
Created attachment 157082 [details]
security/vuxml documentation for Apache Cassandra CVE-2015-0225

Per upstream security advisory, 1.2.x has reached EOL so there is not going to be update that will fix databases/cassandra.  As such, start by documenting the upstream advisory in security/vuxml.


#
# Validation Checks
#

# make validate
/bin/sh /usr/ports/security/vuxml/files/tidy.sh "/usr/ports/security/vuxml/files/tidy.xsl" "/usr/ports/security/vuxml/vuln.xml" > "/usr/ports/security/vuxml/vuln.xml.tidy"
>>> Validating...
/usr/local/bin/xmllint --valid --noout /usr/ports/security/vuxml/vuln.xml
>>> Successful.
Checking if tidy differs...
... seems okay
Checking for space/tab...
... seems okay
/usr/local/bin/python2.7 /usr/ports/security/vuxml/files/extra-validation.py /usr/ports/security/vuxml/vuln.xml


#
# Pkg audit checks, starting with fixed version and working downward
#

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra2-2.1.4
0 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra2-2.1.1
cassandra2-2.1.1 is vulnerable:
cassandra -- remote execution of arbitrary code
CVE: CVE-2015-0225
WWW: http://vuxml.FreeBSD.org/freebsd/607f4d44-0158-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.

root@xts-bsd /u/p/s/vuxml# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra2-2.0.10
cassandra2-2.0.10 is vulnerable:
cassandra -- remote execution of arbitrary code
CVE: CVE-2015-0225
WWW: http://vuxml.FreeBSD.org/freebsd/607f4d44-0158-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.

# env PKG_DBDIR=/usr/ports/security/vuxml pkg audit cassandra-1.2.18
cassandra-1.2.18 is vulnerable:
cassandra -- remote execution of arbitrary code
CVE: CVE-2015-0225
WWW: http://vuxml.FreeBSD.org/freebsd/607f4d44-0158-11e5-8fda-002590263bf5.html

1 problem(s) in the installed packages found.
Comment 2 Xin LI freebsd_committer 2015-05-24 07:29:25 UTC
Committed, thanks!
Comment 3 commit-hook freebsd_committer 2015-05-24 07:29:39 UTC
A commit references this bug:

Author: delphij
Date: Sun May 24 07:29:10 UTC 2015
New revision: 387252
URL: https://svnweb.freebsd.org/changeset/ports/387252

Log:
  Document cassandra remote code execution vulnerability.

  PR:		199091
  Submitted by:	Jason Unovitch <jason unovitch gmail com>

Changes:
  head/security/vuxml/vuln.xml
Comment 4 Xin LI freebsd_committer 2015-05-24 07:31:52 UTC
Reopen: the port is still unfixed.
Comment 5 Jason Unovitch freebsd_committer 2015-05-30 01:37:08 UTC
Created attachment 157272 [details]
Document FORBIDDEN and DEPRECATED

Patch attached to document EOL per the upstream security advisory notification.

Feedback requested on patch.

1.  My question is what is the realistic criteria toward marking the port as FORBIDDEN and DEPRECATED in light of the above?

Supporting discussion on that question.

Per the security advisory [Link 1]:
1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade
to a supported version of Cassandra, or manually configure encryption
and authentication of JMX,

I requested some additional information from the Cassandra-users mailing list [link 2] and got some feedback that "when n+2 is released, version n is EOL" and given that 2.1.x is the current branch then 1.2.x would be EOL.  It would be nice if the Cassandra project had things as nicely documented as FreeBSD's security policies are documented so I wouldn't have to ask a question like this.

2.  What is a realistic timeline?  I set it to 30 days based off seeing www/squid marked as such a while back before it was determined www/squid would be the only version maintained in ports and it was updated to 3.4.

[1] http://www.mail-archive.com/user@cassandra.apache.org/msg41819.html
[2] http://www.mail-archive.com/user@cassandra.apache.org/msg42560.html
Comment 6 Radim Kolar 2015-05-31 15:43:03 UTC
I dont think that JMX security is major problem because normal cassandra is run in cluster with no auth set even for data access.

Just short after install message about securing JMX would be good enough.
Comment 7 Jason Unovitch freebsd_committer 2015-06-09 01:48:39 UTC
Radim,
For now, everybody is going to get the regular noticed from pkg audit on the vulnerability.  Adding it to the pkg-message until removal makes sense.  As maintainer, what do you feel is a sane timeline for deprecating it and eventual removal from the ports tree?
Comment 8 commit-hook freebsd_committer 2015-12-27 14:33:53 UTC
A commit references this bug:

Author: junovitch
Date: Sun Dec 27 14:32:56 UTC 2015
New revision: 404570
URL: https://svnweb.freebsd.org/changeset/ports/404570

Log:
  databases/cassandra: Set DEPRECATED

  1.2.x has reached EOL, so users of <= 1.2.x are recommended to upgrade
  to a supported version of Cassandra

  Reference:	http://www.mail-archive.com/user@cassandra.apache.org/msg41819.html
  		http://www.mail-archive.com/user@cassandra.apache.org/msg42560.html

  PR:		199091
  Approved by:	maintainer timeout

Changes:
  head/databases/cassandra/Makefile
Comment 9 Jason Unovitch freebsd_committer 2015-12-27 14:36:16 UTC
Set as DEPRECATED before we branch 2016Q1 as upstream hasn't supported 1.2.x since last year and set the deprecation to just before 2016Q2.  The underlying issue will not be fixed upstream so this just follows their EOL.