Re: CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability

2020-09-11 Thread Jeremiah D Jordan 
This vulnerability is only exposed if someone can access your JMX port.  If you 
lock down access to JMX ports then you can avoid it.

-Jeremiah

> On Sep 2, 2020, at 3:36 AM, Sam Tunnicliffe  wrote:
> 
> Hi Manish,
> 
> unfortunately I'm afraid, as far as I'm aware there is not.
> 
> Thanks,
> Sam
> 
>> On 2 Sep 2020, at 04:14, manish khandelwal > > wrote:
>> 
>> Hi Sam
>> 
>> Is there any alternative to avoid this vulnerability? Like upgrade to 
>> specific JVM version.
>> 
>> Regards
>> Manish
>> 
>> On Tue, Sep 1, 2020 at 8:03 PM Sam Tunnicliffe > > wrote:
>> CVE-2020-13946 Apache Cassandra RMI Rebind Vulnerability
>> 
>> Versions Affected:
>> All versions prior to: 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2
>> 
>> Description:
>> It is possible for a local attacker without access to the Apache Cassandra 
>> process or configuration files to manipulate the RMI registry to perform a 
>> man-in-the-middle attack and capture user names and passwords used to access 
>> the JMX interface. The attacker can then use these credentials to access the 
>> JMX interface and perform unauthorised operations.
>> Users should also be aware of CVE-2019-2684, a JRE vulnerability that 
>> enables this issue to be exploited remotely.
>> 
>> Mitigation:
>> 2.1.x users should upgrade to 2.1.22
>> 2.2.x users should upgrade to 2.2.18
>> 3.0.x users should upgrade to 3.0.22
>> 3.11.x users should upgrade to 3.11.8
>> 4.0-beta1 users should upgrade to 4.0-beta2
>> 
>> 
>

RE: Cassandra scale-out with no traffic on newly joined nodes

2020-09-11 Thread ZAIDI, ASAD 
Can you share please what replica placement strategy ( in keyspace definition) 
and   partitioner is used across nodes ?
~Asad



From: Sandeep Nethi 
Sent: Tuesday, September 8, 2020 1:12 AM
To: user@cassandra.apache.org
Subject: Re: Cassandra scale-out with no traffic on newly joined nodes

That would be my last option to add a new host as contant point but as per my 
understanding cassandra should auto discover newly joined nodes and server or 
load balance connections automatically but it's not happening. So, i'm trying 
to understand what could be the root cause here.

Another problem that I have noticed is, the number of native client connections 
on newly joined nodes vs old nodes is 1:7 and client connections are not 
balanced across nodes (old nodes are overloaded compared to newly joined 
nodes). Since i have a 6 node cluster with 3 racks, is it mandatory to have 
rack awareness in driver load balancer?

On Tue, Sep 8, 2020 at 6:02 PM manish khandelwal 
mailto:manishkhandelwa...@gmail.com>> wrote:
Can you add new host as contact points and see if traffic lands on them or not?
Also you can verify new nodes are added in system.peers of host name which you 
are giving as contact points

On Tue, Sep 8, 2020 at 11:27 AM Sandeep Nethi 
mailto:nethisande...@gmail.com>> wrote:
Yes, all nodes are UN and no issues identified. Infact i could see some client 
connections on new nodes with telnet but not seeing any traffic.

Cassandra version: 3.11.6
Load Balancing policy used is default with no custom policies.

Thanks,

On Tue, Sep 8, 2020 at 5:52 PM Erick Ramirez 
mailto:erick.rami...@datastax.com>> wrote:
That shouldn't be a problem for the control connection.

I would suggest looking into the load-balancing policy configured on the 
driver. Also, are all the new nodes fully up and fully joined the cluster?

Re: Cassandra scale-out with no traffic on newly joined nodes

2020-09-11 Thread Sandeep Nethi 
NetworkTopology strategy and murmer3 partitioner is being used.

Just an update, nodes were able to receive queries from coordinator nodes
but only old nodes are acting as coordinators.

As I explained before number of native connections on new nodes is very
less compared to old nodes.

How can i balance these connections without restarting client application,
any idea?


Thanks,
Sandeep

On Sat, 12 Sep 2020 at 5:02 AM, ZAIDI, ASAD  wrote:

>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Can you share please what replica placement strategy ( in keyspace
> definition) and   partitioner is used across nodes ?
>
>
> ~Asad
>
>
>
>
>
>
>
>
>
>
>
> *From:* Sandeep Nethi 
>
>
> *Sent:* Tuesday, September 8, 2020 1:12 AM
>
>
> *To:* user@cassandra.apache.org
>
>
> *Subject:* Re: Cassandra scale-out with no traffic on newly joined nodes
>
>
>
>
>
>
>
>
>
> That would be my last option to add a new host as contant point but as per
> my understanding cassandra should auto discover newly joined nodes and
> server or
>
> load balance connections automatically but it's not happening. So, i'm
> trying to understand what could be the root cause here.
>
>
>
>
>
>
>
>
>
>
>
>
>
> Another problem that I have noticed is, the number of native client
> connections on newly joined nodes vs old nodes is 1:7 and client
> connections are not balanced
>
> across nodes (old nodes are overloaded compared to newly joined nodes).
> Since i have a 6 node cluster with 3 racks, is it mandatory to have rack
> awareness in driver load balancer?
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tue, Sep 8, 2020 at 6:02 PM manish khandelwal <
> manishkhandelwa...@gmail.com> wrote:
>
>
>
>
>
>
>
>
> Can you add new host as contact points and see if traffic lands on them or
> not?
>
>
>
>
> Also you can verify new nodes are added in system.peers of host name which
> you are giving as contact points
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tue, Sep 8, 2020 at 11:27 AM Sandeep Nethi 
> wrote:
>
>
>
>
>
>
>
>
> Yes, all nodes are UN and no issues identified. Infact i could see some
> client connections on new nodes with telnet but not seeing any traffic.
>
>
>
>
>
>
>
>
>
>
>
> Cassandra version: 3.11.6
>
>
>
>
>
>
> Load Balancing policy used is default with no custom policies.
>
>
>
>
>
>
>
>
>
>
>
>
>
> Thanks,
>
>
>
>
>
>
>
>
>
>
>
>
>
> On Tue, Sep 8, 2020 at 5:52 PM Erick Ramirez 
> wrote:
>
>
>
>
>
>
>
>
>
>
>
>
> That shouldn't be a problem for the control connection.
>
>
>
>
>
>
>
>
>
>
>
>
>
> I would suggest looking into the load-balancing policy configured on the
> driver. Also, are all the new nodes fully up and fully joined the cluster?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

Re: Cassandra scale-out with no traffic on newly joined nodes

2020-09-11 Thread Erick Ramirez 
>
> That would be my last option to add a new host as contant point but as per
> my understanding cassandra should auto discover newly joined nodes and
> server or load balance connections automatically but it's not happening.
>

Yes, that sounds right to me. Sorry, this fell off my radar due to
competing priorities. I'm going to reach out to the DataStax Drivers team.
In the meantime, can you tell me which driver + version and C* version?
Cheers!