Mark Denihan

Name of the Vulnerable Software and Affected Versions: Apache Cassandra versions 2.1.0 through 2.1.22 Apache Cassandra versions 2.2.0 through 2.2.19 Apache Cassandra versions 3.0.0 through 3.0.23 Apache Cassandra versions 3.11.0 through 3.11.9 Description: The issue allows both encrypted and unencrypted internode connections when using 'dc' or 'rack' internode encryption setting. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement. Recommendations: For Apache Cassandra versions 2.1.0 through 2.1.22, update the internode encryption setting to only allow encrypted connections. For Apache Cassandra versions 2.2.0 through 2.2.19, update the internode encryption setting to only allow encrypted connections. For Apache Cassandra versions 3.0.0 through 3.0.23, update the internode encryption setting to only allow encrypted connections. For Apache Cassandra versions 3.11.0 through 3.11.9, update the internode encryption setting to only allow encrypted connections. As a temporary workaround, consider restricting access to the internode connections to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** org.codehaus.jackson:jackson-mapper-asl versions 1.9.x **Description** A flaw was found in the org.codehaus.jackson:jackson-mapper-asl library, related to incorrect restriction of XML external entity references. This issue is similar to previously identified vulnerabilities and can be exploited by a remote attacker to impact data integrity. **Recommendations** For org.codehaus.jackson:jackson-mapper-asl version 1.9.x, at the moment, there is no information about a newer version that contains a fix for this vulnerability.