Correction: 3.11.x users should upgrade to 3.11.10. 3.11.24 doesn’t exist. Yet.
> On 1 Feb 2021, at 18:22, Aleksey Yeschenko <alek...@apache.org> wrote: > > CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on > inbound internode connections > > Severity: > Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Cassandra 2.1.0 to 2.1.22 > Cassandra 2.2.0 to 2.2.19 > Cassandra 3.0.0 to 3.0.23 > Cassandra 3.11.0 to 3.11.9 > > Description: > When using ‘dc’ or ‘rack’ internode_encryption setting, a Cassandra instance > allows both encrypted > and unencrypted connections. A misconfigured node or a malicious user can use > the unencrypted > connection despite not being in the same rack or dc, and bypass mutual TLS > requirement. > > Mitigation: > Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’ > internode_encryption setting, as they are inherently insecure > 3.0.x users should additionally upgrade to 3.0.24 > 3.11.x users should additionally upgrade to 3.11.24 > > Credit: > This issue was discoverd by Jon Meredith > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@cassandra.apache.org > For additional commands, e-mail: dev-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
