perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi all,

There was a CVE released today for cassandra, which is used by the perfSONAR measurement archive software, esmond. You can find more information here: http://seclists.org/bugtraq/2015/Apr/0. If you are using the perfSONAR Toolkit distribution NO further action is required to protect your host. The summary of the issue is that by default cassandra listens on ports for JMX connections which allows remote execution of java code. Since inclusion of cassandra on the Toolkit last year, the Toolkit has a script that automatically turns these ports off in the cassandra configuration. Furthermore, the default iptables that the Toolkit installs block these ports had anything been listening on them.

If you are running a standalone esmond instance you need to update and restart cassandra. A few users have installed esmond separately from a Toolkit host as a central measurement archive or similar. If you are one of these users you need to run the following:

yum update cassandra20

/sbin/service cassandra restart

Note the restart of cassandra, so auto-updates alone aren't enough. Please let us know if you have any questions. 

Thank you,

The perfSONAR Development Team