Issue Details
Following the publication of CVE-2023-43642, Instaclustr began investigating its potential impact on our Instaclustr Managed Apache Cassandra® offering.
This vulnerability affects snappy-java, which is a runtime dependency of Apache Cassandra versions 2.0, 3.0, 3.11, 4.0, and 4.1. When decompressing data with a chunk size that is too large, the SnappyInputStream component function of snappy-java was found to be vulnerable to Denial of Service (DoS) attacks.
The CVSS (Common Vulnerability Scoring System) 3.x severity rating for this vulnerability, as it applies to the snappy-java, by the NVD (National Vulnerability Database) is base score 7.5 High.
Impact Analysis
Instaclustr performed an investigation into these vulnerabilities and their potential impact on customers of our Managed Cassandra Service and assessed its severity rating as 3.0 on the CVSS 3.1 scale. The findings are listed below:
- The main risk identified is that an authenticated user can cause Cassandra to stop processing data.
- Instaclustr’s Managed Cassandra Service employs firewall access control which limits where the cluster can be accessed from.
- Cassandra itself is a highly available service, meaning that this would need to be exploited several times to cause an outage of a cluster.
- Additionally, as these vulnerabilities require the attacker to be authenticated to exploit them, a user would need to have explicitly been given access to the environment to execute the commands. This measure reduces the likelihood of clusters being exploited by an attacker through this vulnerability.
Mitigation Approaches
Based on the impacts detailed above, Instaclustr recommends the following actions for our customers:
- We recommend all customers review the access permissions to their Cassandra clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage Cassandra users, ACLs, and firewall rules on our website.
- Apache Cassandra versions 3.11.17, 4.0.12, and 4.1.4 contain the fix although they have not been released by the Apache Cassandra project as at the date of publication of this security advisory. Please see the Apache Cassandra JIRA 18878 here for more information on the fixed versions. Our course of action will be to release Cassandra versions 3.11.17, 4.0.12, and 4.1.4 when available, and to recommend customers upgrade running Cassandra clusters. Once the new versions are released, we recommend that:
- For new clusters, Cassandra versions 3.11.17, 4.0.12, and 4.1.4 should be used depending on which major version you may be using.
- For existing clusters on older versions, an upgrade should be scheduled by contacting our Support team. Alternatively, our Support team will reach out to you shortly to schedule an upgrade.
- We will mark older Cassandra versions as Closed and subsequently Retired once customer migration is completed, as per our lifecycle policy.
Support Only Customers
- We recommend all customers review the access permissions to their Cassandra clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients.
- Once released, upgrade to Cassandra version 3.11.17, 4.0.12 or 4.1.4 depending on which major version you are using.
If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact Instaclustr Support.
References: https://nvd.nist.gov/vuln/detail/CVE-2023-43642.