cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aleksey Yeschenko <>
Subject [CVE-2020-17516] Apache Cassandra internode encryption enforcement vulnerability
Date Mon, 01 Feb 2021 18:22:43 GMT
CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on inbound internode connections


The Apache Software Foundation

Versions Affected:
Cassandra 2.1.0 to 2.1.22
Cassandra 2.2.0 to 2.2.19
Cassandra 3.0.0 to 3.0.23
Cassandra 3.11.0 to 3.11.9

When using ‘dc’ or ‘rack’ internode_encryption setting, a Cassandra instance allows
both encrypted
and unencrypted connections. A misconfigured node or a malicious user can use the unencrypted
connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’ internode_encryption
setting, as they are inherently insecure
3.0.x users should additionally upgrade to 3.0.24
3.11.x users should additionally upgrade to 3.11.24

This issue was discoverd by Jon Meredith
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message