Name of the Vulnerable Software and Affected Versions:

Apache Cassandra versions 2.1.0 through 2.1.22

Apache Cassandra versions 2.2.0 through 2.2.19

Apache Cassandra versions 3.0.0 through 3.0.23

Apache Cassandra versions 3.11.0 through 3.11.9

Description:

The issue allows both encrypted and unencrypted internode connections when using 'dc' or 'rack' internode encryption setting. A misconfigured node or a malicious user can use the unencrypted connection despite not being in the same rack or dc, and bypass mutual TLS requirement.

Recommendations:

For Apache Cassandra versions 2.1.0 through 2.1.22, update the internode encryption setting to only allow encrypted connections.

For Apache Cassandra versions 2.2.0 through 2.2.19, update the internode encryption setting to only allow encrypted connections.

For Apache Cassandra versions 3.0.0 through 3.0.23, update the internode encryption setting to only allow encrypted connections.

For Apache Cassandra versions 3.11.0 through 3.11.9, update the internode encryption setting to only allow encrypted connections.

As a temporary workaround, consider restricting access to the internode connections to minimize the risk of exploitation.