The logback SocketServer and SocketServerReceiver component vulnerability is with the serialization when using network configuration for centralized log aggregation. The default Cassandra logback configuration uses files on disk and does not use these features nor expose logging to the network. If a user has configured logback to do logging over the network, then they should consider upgrading the logback libs. (This has nothing to do with thrift or native protocols.)
Michael On 10/1/18 3:06 AM, Steinmaurer, Thomas wrote: > Michael, > > can you please elaborate on your SocketServer question. Is this for Thrift > only or also affects the native protocol (CQL)? > > Yes, we basically have iptables rules in place disallowing remote access from > machines outside the cluster. > > Thanks again, > Thomas > >> -----Original Message----- >> From: Michael Shuler <mshu...@pbandjelly.org> On Behalf Of Michael >> Shuler >> Sent: Freitag, 21. September 2018 15:49 >> To: user@cassandra.apache.org >> Subject: Re: Cassandra 2.1.21 ETA? >> >> On 9/21/18 3:28 AM, Steinmaurer, Thomas wrote: >>> >>> is there an ETA for 2.1.21 containing the logback update (security >>> vulnerability fix)? >> >> Are you using SocketServer? Is your cluster firewalled? >> >> Feb 2018 2.1->3.11 commits noting this in NEWS.txt: >> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub >> .com%2Fapache%2Fcassandra%2Fcommit%2F4bbd28a&data=01%7C01 >> %7Cthomas.steinmaurer%40dynatrace.com%7C4b4bcec4c04d4c52f74c08d61 >> fc9e154%7C70ebe3a35b30435d9d677716d74ca190%7C1&sdata=YqHz6ul >> 55SdPuxHhz5qubNb6MeK1XEjxg63Ttf2v6Uc%3D&reserved=0 >> >> Feb 2018 trunk (4.0) commit for the library update: >> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub >> .com%2Fapache%2Fcassandra%2Fcommit%2Fc0aa79e&data=01%7C01% >> 7Cthomas.steinmaurer%40dynatrace.com%7C4b4bcec4c04d4c52f74c08d61fc >> 9e154%7C70ebe3a35b30435d9d677716d74ca190%7C1&sdata=256fWCvc >> XDCdFqeQYe618JZfQQDAmV8LVRga4UBvSKs%3D&reserved=0 >> >> -- >> Michael >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org >> For additional commands, e-mail: user-h...@cassandra.apache.org > > The contents of this e-mail are intended for the named addressee only. It > contains information that may be confidential. Unless you are the named > addressee or an authorized designee, you may not copy or use it, or disclose > it to anyone else. If you received it in error please notify us immediately > and then destroy it. Dynatrace Austria GmbH (registration number FN 91482h) > is a company registered in Linz whose registered office is at 4040 Linz, > Austria, Freistädterstraße 313 > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
