This is fixed in config defaults in 3.11.10 or there is something else within the code that fixes? (Are both patch and config change required?)
Can you share the Jira ticket? I'm not finding details on search. Valerie > On Feb 1, 2021, at 1:23 PM, Aleksey Yeschenko <alek...@apache.org> wrote: > > CVE-2020-17516: Apache Cassandra doesn't enforce encryption setting on > inbound internode connections > > Severity: > Important > > Vendor: > The Apache Software Foundation > > Versions Affected: > Cassandra 2.1.0 to 2.1.22 > Cassandra 2.2.0 to 2.2.19 > Cassandra 3.0.0 to 3.0.23 > Cassandra 3.11.0 to 3.11.9 > > Description: > When using ‘dc’ or ‘rack’ internode_encryption setting, a Cassandra instance > allows both encrypted > and unencrypted connections. A misconfigured node or a malicious user can use > the unencrypted > connection despite not being in the same rack or dc, and bypass mutual TLS > requirement. > > Mitigation: > Users of ALL versions should switch from ‘dc’ or ‘rack’ to ‘all’ > internode_encryption setting, as they are inherently insecure > 3.0.x users should additionally upgrade to 3.0.24 > 3.11.x users should additionally upgrade to 3.11.24 > > Credit: > This issue was discoverd by Jon Meredith > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org > For additional commands, e-mail: user-h...@cassandra.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@cassandra.apache.org For additional commands, e-mail: user-h...@cassandra.apache.org
