Cassandra Apache Cassandra

Do you want an email whenever new security vulnerabilities are reported in Apache Cassandra?

@cassandra Tweets

#ApacheCassandra 4.1.1 just got released: https://t.co/6I7A34nrhQ #ApacheCassandra #Nosql #database https://t.co/uvzexzfXIa
Tue Mar 21 20:20:53 +0000 2023

#CassandraForward was AWESOME! Catch the replay here �� https://t.co/uiBtWFBARy #ApacheCassandra #Nosql #database https://t.co/D1NzOk1fIC
Tue Mar 21 20:17:55 +0000 2023

Join us for #cassandraforward on March 14th to learn about the future of #ApacheCassandra and how it’s powering the… https://t.co/9YxufbArE5
Wed Mar 08 02:25:57 +0000 2023

RT @Melissa_B2B: The @Cassandra community is hosting two Community Meet and Greet events next Tuesday, March 14. It's an informal way to m…
Tue Mar 07 00:37:52 +0000 2023

RT @ania_kubow: #CassandraForward is your opportunity to learn all about Apache Cassandra — new capabilities and exciting use cases. Regist…
Tue Mar 07 00:36:57 +0000 2023

By the Year

In 2023 there have been 0 vulnerabilities in Apache Cassandra . Last year Cassandra had 1 security vulnerability published. Right now, Cassandra is on track to have less security vulnerabilities in 2023 than it did last year.

Year Vulnerabilities Average Score
2023 0 0.00
2022 1 9.10
2021 1 7.50
2020 1 5.90
2019 1 5.90
2018 1 9.80

It may take a day or so for new Cassandra vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Apache Cassandra Security Vulnerabilities

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host

CVE-2021-44521 9.1 - Critical - February 11, 2022

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Incorrect Permission Assignment for Critical Resource

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting

CVE-2020-17516 7.5 - High - February 03, 2021

Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allows both encrypted and unencrypted internode connections. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Authentication Bypass by Spoofing

In Apache Cassandra

CVE-2020-13946 5.9 - Medium - September 01, 2020

In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorised operations. Users should also be aware of CVE-2019-2684, a JRE vulnerability that enables this issue to be exploited remotely.

Exposure of Resource to Wrong Sphere

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI)

CVE-2019-2684 5.9 - Medium - April 23, 2019

Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets (in Java SE 8), that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. CVSS 3.0 Base Score 5.9 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which

CVE-2018-8016 9.8 - Critical - June 28, 2018

The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. This issue is a regression of CVE-2015-0225. The regression was introduced in https://issues.apache.org/jira/browse/CASSANDRA-12109. The fix for the regression is implemented in https://issues.apache.org/jira/browse/CASSANDRA-14173. This fix is contained in the 3.11.2 release of Apache Cassandra.

Missing Authentication for Critical Function

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Apache Cassandra or by Apache? Click the Watch button to subscribe.

Apache
Vendor

subscribe