From user-return-66323-archive-asf-public=cust-asf.ponee.io@cassandra.apache.org Mon Feb 1 18:29:30 2021 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 363DF18065C for ; Mon, 1 Feb 2021 19:29:30 +0100 (CET) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 9619462A32 for ; Mon, 1 Feb 2021 18:29:29 +0000 (UTC) Received: (qmail 94400 invoked by uid 500); 1 Feb 2021 18:22:49 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 94365 invoked by uid 99); 1 Feb 2021 18:22:48 -0000 Received: from mailrelay1-he-de.apache.org (HELO mailrelay1-he-de.apache.org) (116.203.21.61) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 01 Feb 2021 18:22:48 +0000 Received: from auth1-smtp.messagingengine.com (auth1-smtp.messagingengine.com [66.111.4.227]) by mailrelay1-he-de.apache.org (ASF Mail Server at mailrelay1-he-de.apache.org) with ESMTPSA id 954983E824; Mon, 1 Feb 2021 18:22:47 +0000 (UTC) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailauth.nyi.internal (Postfix) with ESMTP id 1337827C0054; Mon, 1 Feb 2021 13:22:46 -0500 (EST) Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Mon, 01 Feb 2021 13:22:46 -0500 X-ME-Sender: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfeekgdduuddvucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpegtggfuhfffgfhrkffvofesthhqmh dthhdtjeenucfhrhhomheptehlvghkshgvhicujggvshgthhgvnhhkohcuoegrlhgvkhhs vgihsegrphgrtghhvgdrohhrgheqnecuggftrfgrthhtvghrnhepleeileehheeuteeite egvdfhhedvvdekteekgeetgeeufedvtdejtdeuledtfffhnecukfhppeekuddruddtiedr geehrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpegrlhgvkhhsvgihodhmvghsmhhtphgruhhthhhpvghrshhonhgrlhhithihqdduudef udeghedtudeiqddvheduleegkedvgedqrghlvghkshgvhieppegrphgrtghhvgdrohhrgh eshigvshgthhgvnhhkohdrtghomh X-ME-Proxy: Received: from [192.168.1.55] (cpc76904-dals22-2-0-cust282.20-2.cable.virginm.net [81.106.45.27]) by mail.messagingengine.com (Postfix) with ESMTPA id 14F1B24005B; Mon, 1 Feb 2021 13:22:44 -0500 (EST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.40.0.2.32\)) Subject: [CVE-2020-17516] Apache Cassandra internode encryption enforcement vulnerability From: Aleksey Yeschenko Date: Mon, 1 Feb 2021 18:22:43 +0000 Cc: dev@cassandra.apache.org, security Content-Transfer-Encoding: quoted-printable Reply-To: user@cassandra.apache.org Message-Id: <6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org> To: user@cassandra.apache.org X-Mailer: Apple Mail (2.3654.40.0.2.32) CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on = inbound internode connections Severity: Important Vendor: The Apache Software Foundation Versions Affected: Cassandra 2.1.0 to 2.1.22 Cassandra 2.2.0 to 2.2.19 Cassandra 3.0.0 to 3.0.23 Cassandra 3.11.0 to 3.11.9 Description: When using =E2=80=98dc=E2=80=99 or =E2=80=98rack=E2=80=99 = internode_encryption setting, a Cassandra instance allows both encrypted and unencrypted connections. A misconfigured node or a malicious user = can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual = TLS requirement. Mitigation: Users of ALL versions should switch from =E2=80=98dc=E2=80=99 or = =E2=80=98rack=E2=80=99 to =E2=80=98all=E2=80=99 internode_encryption = setting, as they are inherently insecure 3.0.x users should additionally upgrade to 3.0.24 3.11.x users should additionally upgrade to 3.11.24 Credit: This issue was discoverd by Jon Meredith= --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscribe@cassandra.apache.org For additional commands, e-mail: user-help@cassandra.apache.org