CVE-2020-17516
📋 TL;DR
This vulnerability in Apache Cassandra allows unencrypted internode connections even when TLS is configured, enabling attackers to bypass mutual TLS requirements. It affects Cassandra clusters using 'dc' or 'rack' internode_encryption settings. Attackers can potentially intercept or manipulate internode communications.
💻 Affected Systems
- Apache Cassandra
📦 What is this software?
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
⚠️ Risk & Real-World Impact
Worst Case
Malicious actor intercepts or manipulates sensitive database traffic between nodes, leading to data theft, data corruption, or cluster compromise.
Likely Case
Unauthorized access to internode communications, potentially exposing sensitive data in transit or allowing man-in-the-middle attacks.
If Mitigated
With proper network segmentation and monitoring, impact is limited to potential traffic interception within the cluster network.
🎯 Exploit Status
Exploitation requires network access to Cassandra internode ports and knowledge of cluster configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.23, 2.2.20, 3.0.24, 3.11.10, 4.0+
Vendor Advisory: http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e
Restart Required: Yes
Instructions:
1. Backup Cassandra configuration and data. 2. Upgrade to patched version. 3. Restart Cassandra service. 4. Verify encryption is working properly.
🔧 Temporary Workarounds
Change internode_encryption to 'all'
allForce all internode connections to use TLS encryption
Edit cassandra.yaml: internode_encryption: all
Restart Cassandra service
Network segmentation
allIsolate Cassandra cluster network to prevent unauthorized access
Configure firewall rules to restrict access to Cassandra ports (7000, 7001, 7199, 9042, 9160)
🧯 If You Can't Patch
- Change internode_encryption setting to 'all' in cassandra.yaml
- Implement strict network segmentation and firewall rules around Cassandra cluster
- Monitor network traffic for unencrypted connections on internode ports
🔍 How to Verify
Check if Vulnerable:
Check cassandra.yaml for 'internode_encryption: dc' or 'internode_encryption: rack' and verify version is in affected rangeCheck Version:
nodetool versionVerify Fix Applied:
Verify version is patched and test internode connections to ensure all traffic is encrypted📡 Detection & Monitoring
Log Indicators:
- Unencrypted connection attempts
- SSL/TLS handshake failures
- Unexpected internode communication
Network Indicators:
- Unencrypted traffic on Cassandra internode ports (7000, 7001)
- Mixed encrypted/unencrypted traffic patterns
SIEM Query:
source_port:7000 OR source_port:7001 AND NOT protocol:TLS🔗 References
- http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e
- https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8%40%3Ccommits.cassandra.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210521-0002/
- http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-D7BE-4D33-9EC5-3B505A626D8D%40apache.org%3e
- https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d728c52807486e9%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d467f3a09f2ceae4%40%3Ccommits.cassandra.apache.org%3E
- https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886eb55aa84dd1eb8%40%3Ccommits.cassandra.apache.org%3E
- https://security.netapp.com/advisory/ntap-20210521-0002/
