Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 1 Feb 2021 23:49:20 +0000
From: Aleksey Yeschenko <>
Subject: [CVE-2020-17516] Apache Cassandra internode encryption enforcement

CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on inbound internode connections


The Apache Software Foundation

Versions Affected:
Cassandra 2.1.0 to 2.1.22
Cassandra 2.2.0 to 2.2.19
Cassandra 3.0.0 to 3.0.23
Cassandra 3.11.0 to 3.11.9

When using ‘dc’ or ‘rack’ internode_encryption setting, a Cassandra instance allows both encrypted
and unencrypted connections. A misconfigured node or a malicious user can use the unencrypted
connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’ internode_encryption setting, as they are inherently insecure
3.0.x users should additionally upgrade to 3.0.24
3.11.x users should additionally upgrade to 3.11.10

This issue was discoverd by Jon Meredith

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.