Illustration Image

 Security Advisory: CVE-2023-43642 Snappy-Java

Issue Details 

Following the publication of CVE-2023-43642, Instaclustr began investigating its potential impact on our Instaclustr Managed Apache Cassandra® offering.   

This vulnerability affects snappy-java, which is a runtime dependency of Apache Cassandra versions 2.0, 3.0, 3.11, 4.0, and 4.1. When decompressing data with a chunk size that is too large, the SnappyInputStream component function of snappy-java was found to be vulnerable to Denial of Service (DoS) attacks.  

The CVSS (Common Vulnerability Scoring System) 3.x severity rating for this vulnerability, as it applies to the snappy-java, by the NVD (National Vulnerability Database) is base score 7.5 High. 

Impact Analysis 

Instaclustr performed an investigation into these vulnerabilities and their potential impact on customers of our Managed Cassandra Service and assessed its severity rating as 3.0 on the CVSS 3.1 scale. The findings are listed below:  

  • The main risk identified is that an authenticated user can cause Cassandra to stop processing data.  
  • Instaclustr’s Managed Cassandra Service employs firewall access control which limits where the cluster can be accessed from.  
  • Cassandra itself is a highly available service, meaning that this would need to be exploited several times to cause an outage of a cluster.  
  • Additionally, as these vulnerabilities require the attacker to be authenticated to exploit them, a user would need to have explicitly been given access to the environment to execute the commands. This measure reduces the likelihood of clusters being exploited by an attacker through this vulnerability. 

Mitigation Approaches 

Based on the impacts detailed above, Instaclustr recommends the following actions for our customers:  

  • We recommend all customers review the access permissions to their Cassandra clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage Cassandra users, ACLs, and firewall rules on our website.  
  • Apache Cassandra versions 3.11.17, 4.0.12, and 4.1.4 contain the fix although they have not been released by the Apache Cassandra project as at the date of publication of this security advisory. Please see the Apache Cassandra JIRA 18878 here for more information on the fixed versions. Our course of action will be to release Cassandra versions 3.11.17, 4.0.12, and 4.1.4 when available, and to recommend customers upgrade running Cassandra clusters. Once the new versions are released, we recommend that: 
    • For new clusters, Cassandra versions 3.11.17, 4.0.12, and 4.1.4 should be used depending on which major version you may be using.   
    • For existing clusters on older versions, an upgrade should be scheduled by contacting our Support team. Alternatively, our Support team will reach out to you shortly to schedule an upgrade.  
  • We will mark older Cassandra versions as Closed and subsequently Retired once customer migration is completed, as per our lifecycle policy.   

Support Only Customers

  • We recommend all customers review the access permissions to their Cassandra clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. 
  • Once released, upgrade to Cassandra version 3.11.17, 4.0.12 or 4.1.4 depending on which major version you are using. 

If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact Instaclustr Support. 

References: https://nvd.nist.gov/vuln/detail/CVE-2023-43642. 

 

The post  Security Advisory: CVE-2023-43642 Snappy-Java appeared first on Instaclustr.

Become part of our
growing community!
Welcome to Planet Cassandra, a community for Apache Cassandra®! We're a passionate and dedicated group of users, developers, and enthusiasts who are working together to make Cassandra the best it can be. Whether you're just getting started with Cassandra or you're an experienced user, there's a place for you in our community.
A dinosaur
Planet Cassandra is a service for the Apache Cassandra® user community to share with each other. From tutorials and guides, to discussions and updates, we're here to help you get the most out of Cassandra. Connect with us and become part of our growing community today.
© 2009-2023 The Apache Software Foundation under the terms of the Apache License 2.0. Apache, the Apache feather logo, Apache Cassandra, Cassandra, and the Cassandra logo, are either registered trademarks or trademarks of The Apache Software Foundation.

Get Involved with Planet Cassandra!

We believe that the power of the Planet Cassandra community lies in the contributions of its members. Do you have content, articles, videos, or use cases you want to share with the world?