[jira] [Created] (CASSANDRA-15412) Security vulnerability CVE-2016-4970 for Netty

Tue, 12 Nov 2019 08:26:57 -0800 

Abhishek Singh created CASSANDRA-15412:
------------------------------------------

             Summary: Security vulnerability CVE-2016-4970 for Netty 
                 Key: CASSANDRA-15412
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15412
             Project: Cassandra
          Issue Type: Bug
            Reporter: Abhishek Singh


*Cassendra Version: 3.11.4*

*Description :*
*Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 7.5

*Weakness :* Sonatype CWE: 835

*Source :* National Vulnerability Database

*Categories :* ConfigurationData

*Description from CVE :* handler.

*Explanation :* Netty is vulnerable to Denial of Service (DoS). The wrap() 
function in the OpenSslEngine class doesnt properly handle renegotiations, 
causing the application to hang in an infinite loop. A remote attacker could 
exploit this vulnerability by sending multiple requests to the application to 
consume large amounts of CPU cycles, which can result in Denial of Service 
(DoS).

The Sonatype security research team discovered that the vulnerability is 
present in version 4.0.20 until 4.0.37, not in all the versions from 4.0.0 till 
4.0.37 as the advisory states.

*Detection :* The application is vulnerable by using this component only if the 
server has renegotiation enabled (which is set as default).
Reference: ([https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]) 
[https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]

*Recommendation :* We recommend upgrading to a version of this component that 
is not vulnerable to this specific issue.
Workaround:
Users can use -Djdk.tls.rejectClientInitiatedRenegotiation=true to disable 
renegotiation and avoid this issue.
Reference link: ([https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]) 
[https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]

*Root Cause :* Cassandra-2.2.5.nupkgOpenSslEngine.class : [4.1.0.Beta1, 
4.1.1.Final)

*Advisories :* Project: 
[https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]

*CVSS Details :* CVE CVSS 3.0: 7.5



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to