[CASSANDRA-16455] CVE-2020-17516 mitigation in 2.2.x branch - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 2.2.20
Component/s: Local/Other
Labels:
None

Bug Category:
Security
Severity:
Normal
Complexity:
Normal
Discovered By:
User Report
Platform:

All
Impacts:

None

Description

As a Cassandra 2.2.x user
I would like to know if a fix is planned for CVE-2020-17516 in this branch

https://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e

CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on inbound internode connections

Severity:
Important

Vendor:
The Apache Software Foundation

Versions Affected:
Cassandra 2.1.0 to 2.1.22
Cassandra 2.2.0 to 2.2.19
Cassandra 3.0.0 to 3.0.23
Cassandra 3.11.0 to 3.11.9
....
....
....

Mitigation:
Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’ internode_encryption
setting, as they are inherently insecure
3.0.x users should additionally upgrade to 3.0.24
3.11.x users should additionally upgrade to 3.11.24

I can't find any ticket tracking implementing this fix in 2.2.x or 2.1.x.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Mark Denihan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 17/Feb/21 15:49

Updated:: 15/Sep/21 07:11

Resolved:: 15/Sep/21 07:11