Apache Cassandra Unauthorized Access Vulnerability
Description
Apache Cassandra is an open-source distributed NoSQL database system designed to operate within trusted network environments and accessed only by authenticated clients. By default, Cassandra does not enforce authentication or encryption, making it vulnerable when exposed to untrusted networks.
This vulnerability occurs when Cassandra instances are accessible from the public internet or untrusted networks without proper access controls, allowing unauthorized users to connect directly to the database service.
Remediation
Restrict network access to Cassandra instances using the following measures:
1. Configure firewall rules to allow connections only from trusted IP addresses and networks. Block public internet access to Cassandra ports (default: 9042 for CQL, 7000 for inter-node communication).
2. Enable authentication by modifying cassandra.yaml:
authenticator: PasswordAuthenticator authorizer: CassandraAuthorizer
3. Enable client-to-node encryption by configuring SSL/TLS in cassandra.yaml:
client_encryption_options: enabled: true optional: false keystore: /path/to/keystore keystore_password: your_password
4. Bind Cassandra to specific internal network interfaces rather than all interfaces (0.0.0.0) by setting the appropriate listen_address and rpc_address values.
5. Implement network segmentation to isolate Cassandra nodes within a dedicated database tier accessible only to application servers that require database connectivity.