Vulnerability Description
Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cassandra | >= 2.1.0, <= 2.1.22 |
Related Weaknesses (CWE)
References
- http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-
- https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d
- https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d4
- https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886
- https://security.netapp.com/advisory/ntap-20210521-0002/Mailing ListThird Party Advisory
- http://mail-archives.apache.org/mod_mbox/cassandra-user/202102.mbox/%3c6E4340A5-
- https://lists.apache.org/thread.html/r81243a412a37a22211754936a13856af07cc68a93d
- https://lists.apache.org/thread.html/rcb16f36cafa184dd159e94033f87d0fc274c4752d4
- https://lists.apache.org/thread.html/rd84bec24907617bdb72f7ec907cd7437a0fd5a8886
- https://security.netapp.com/advisory/ntap-20210521-0002/Mailing ListThird Party Advisory
FAQ
What is CVE-2020-17516?
CVE-2020-17516 is a vulnerability with a CVSS score of 7.5 (HIGH). Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted interno...
How severe is CVE-2020-17516?
CVE-2020-17516 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-17516?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cassandra.