You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Abhishek Singh (Jira)" <ji...@apache.org> on 2019/11/12 16:26:00 UTC

[jira] [Created] (CASSANDRA-15412) Security vulnerability CVE-2016-4970 for Netty

Abhishek Singh created CASSANDRA-15412:
------------------------------------------

             Summary: Security vulnerability CVE-2016-4970 for Netty 
                 Key: CASSANDRA-15412
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-15412
             Project: Cassandra
          Issue Type: Bug
            Reporter: Abhishek Singh


*Cassendra Version: 3.11.4*

*Description :*
*Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 7.5

*Weakness :* Sonatype CWE: 835

*Source :* National Vulnerability Database

*Categories :* ConfigurationData

*Description from CVE :* handler.

*Explanation :* Netty is vulnerable to Denial of Service (DoS). The wrap() function in the OpenSslEngine class doesnt properly handle renegotiations, causing the application to hang in an infinite loop. A remote attacker could exploit this vulnerability by sending multiple requests to the application to consume large amounts of CPU cycles, which can result in Denial of Service (DoS).

The Sonatype security research team discovered that the vulnerability is present in version 4.0.20 until 4.0.37, not in all the versions from 4.0.0 till 4.0.37 as the advisory states.

*Detection :* The application is vulnerable by using this component only if the server has renegotiation enabled (which is set as default).
Reference: ([https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]) [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]

*Recommendation :* We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Workaround:
Users can use -Djdk.tls.rejectClientInitiatedRenegotiation=true to disable renegotiation and avoid this issue.
Reference link: ([https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]) [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]

*Root Cause :* Cassandra-2.2.5.nupkgOpenSslEngine.class : [4.1.0.Beta1, 4.1.1.Final)

*Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]

*CVSS Details :* CVE CVSS 3.0: 7.5



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org