[CASSANDRA-18550] Improve nodetool enable{audit,fullquery}log, CVE-2023-30601 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Normal
Resolution: Fixed
Fix Version/s: 4.0.10, 4.1.2
Component/s: Local/Other
Labels:
None

Change Category:
Operability
Complexity:
Low Hanging Fruit
Platform:

All
Impacts:

None
Source Control Link:

https://github.com/apache/cassandra/commit/aafb4d19448f12ce600dc4e84a5b181308825b32
Test and Documentation Plan:

Hide

cci

Show
cci

Description

The --archive-command parameter to

nodetool enable{audit,fullquery}log

allows an attacker to execute arbitrary commands as the user running cassandra.

Patch adds a configuration option which disallows using this parameter - for any existing users of --archive-command this can be re-enabled

Attachments

Activity

People

Assignee:: Marcus Eriksson

Reporter:: Marcus Eriksson

Authors:: Marcus Eriksson

Reviewers:: Dinesh Joshi, Michael Semb Wever

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 25/May/23 06:38

Updated:: 29/May/23 10:51

Resolved:: 25/May/23 14:45