Abhishek Singh created CASSANDRA-15412: ------------------------------------------
Summary: Security vulnerability CVE-2016-4970 for Netty Key: CASSANDRA-15412 URL: https://issues.apache.org/jira/browse/CASSANDRA-15412 Project: Cassandra Issue Type: Bug Reporter: Abhishek Singh *Cassendra Version: 3.11.4* *Description :* *Severity :* CVE CVSS 3.0: 7.5Sonatype CVSS 3.0: 7.5 *Weakness :* Sonatype CWE: 835 *Source :* National Vulnerability Database *Categories :* ConfigurationData *Description from CVE :* handler. *Explanation :* Netty is vulnerable to Denial of Service (DoS). The wrap() function in the OpenSslEngine class doesnt properly handle renegotiations, causing the application to hang in an infinite loop. A remote attacker could exploit this vulnerability by sending multiple requests to the application to consume large amounts of CPU cycles, which can result in Denial of Service (DoS). The Sonatype security research team discovered that the vulnerability is present in version 4.0.20 until 4.0.37, not in all the versions from 4.0.0 till 4.0.37 as the advisory states. *Detection :* The application is vulnerable by using this component only if the server has renegotiation enabled (which is set as default). Reference: ([https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]) [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970] *Recommendation :* We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Workaround: Users can use -Djdk.tls.rejectClientInitiatedRenegotiation=true to disable renegotiation and avoid this issue. Reference link: ([https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970]) [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970] *Root Cause :* Cassandra-2.2.5.nupkgOpenSslEngine.class : [4.1.0.Beta1, 4.1.1.Final) *Advisories :* Project: [https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4970] *CVSS Details :* CVE CVSS 3.0: 7.5 -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org