====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN064
_____________________________________________________________________

DATE                : 02/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache Cassandra versions prior to
                                        3.0.24, 3.11.10.

=====================================================================
http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e
_____________________________________________________________________

CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on
inbound internode connections

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
Cassandra 2.1.0 to 2.1.22
Cassandra 2.2.0 to 2.2.19
Cassandra 3.0.0 to 3.0.23
Cassandra 3.11.0 to 3.11.9

Description:
When using ‘dc’ or ‘rack’ internode_encryption setting, a Cassandra
instance allows both encrypted and unencrypted connections. A
misconfigured node or a malicious user can use the unencrypted
connection despite not being in the same rack or dc, and bypass mutual
TLS requirement.


Mitigation:
Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’
internode_encryption setting, as they are inherently
insecure

3.0.x users should additionally upgrade to 3.0.24
3.11.x users should additionally upgrade to 3.11.10

Credit:
This issue was discoverd by Jon Meredith


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================