CVE-2020-17516

February 6, 2021

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using ‘dc’ or ‘rack’ internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Summary:

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using ‘dc’ or ‘rack’ internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Reference Links(if available):

  • http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%[email protected]%3e

  • CVSS Score (if available)

    v2: / MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N

    v3: / HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    CISA Logo

    CISA: Juniper Releases Security Bulletin for Multiple Juniper Products

    April 24, 2024
    CISA Logo

    CISA: Joint Guidance on Deploying AI Systems Securely

    April 24, 2024
    CISA Logo

    CISA: CISA Releases Four Industrial Control Systems Advisories

    April 24, 2024
    CISA Logo

    CISA: CISA Releases Three Industrial Control Systems Advisories

    April 24, 2024
    CISA Logo

    CISA: Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400

    April 24, 2024