Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-16455

CVE-2020-17516 mitigation in 2.2.x branch

Agile BoardAttach filesAttach ScreenshotBulk Copy AttachmentsBulk Move AttachmentsVotersWatch issueWatchersCreate sub-taskConvert to sub-taskMoveLinkCloneLabelsUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Normal
    • Resolution: Fixed
    • 2.2.20
    • Local/Other
    • None
    • Security
    • Normal
    • Normal
    • User Report
    • All
    • None

    Description

      As a Cassandra 2.2.x user
      I would like to know if a fix is planned for CVE-2020-17516 in this branch

      https://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D@apache.org%3e

      CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on inbound internode connections

      Severity:
      Important

      Vendor:
      The Apache Software Foundation

      Versions Affected:
      Cassandra 2.1.0 to 2.1.22
      Cassandra 2.2.0 to 2.2.19
      Cassandra 3.0.0 to 3.0.23
      Cassandra 3.11.0 to 3.11.9
      ....
      ....
      ....

      Mitigation:
      Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’ internode_encryption
      setting, as they are inherently insecure
      3.0.x users should additionally upgrade to 3.0.24
      3.11.x users should additionally upgrade to 3.11.24

      I can't find any ticket tracking implementing this fix in 2.2.x or 2.1.x.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned Assign to me
            mdenihan Mark Denihan
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment