CVE-2024-37309

Name of the Vulnerable Software and Affected Versions CrateDB versions prior to 5.7.2

Description A high-risk issue has been identified in the TLS endpoint, where client-initiated renegotiation is permitted, allowing an attacker to exploit this feature and repeatedly request renegotiation of security parameters during an ongoing TLS session. This can lead to excessive consumption of CPU resources, resulting in potential server overload and service disruption. The issue was confirmed using an openssl client, where the command R initiates renegotiation, followed by the server confirming with RENEGOTIATING. This allows an attacker to perform a denial of service attack by exhausting server CPU resources through repeated TLS renegotiations, impacting the availability of services running on the affected server and posing a significant risk to operational stability and security.

Recommendations For CrateDB versions prior to 5.7.2, update to version 5.7.2 to resolve the issue. As a temporary workaround, consider restricting access to the TLS endpoint on port 4200 to minimize the risk of exploitation. Avoid using the TLS renegotiation feature until the issue is resolved.