Planet Cassandra
Illustration Image

Security Advisory: CVE 2023-30601 Apache Cassandra®

Following the publication of CVE-2023-30601, Instaclustr began investigating its potential impact on our Instaclustr Managed Apache Cassandra® offering. This vulnerability affects Apache Cassandra from 4.0.0 through to 4.0.9, and from 4.1.0 through to 4.1.1 The vulnerability can be exploited with privilege escalation when enabling FQL/Audit logs, allowing users with JMX access to run arbitrary commands as the user running Apache Cassandra.  

The security controls that exist in our managed service—including but not limited to firewalls, intrusion detection, and compartmentalization practices—lower the risk of this vulnerability. However, our course of action will be to release Cassandra version 4.0.10 as a newer, patched version of Managed Cassandra and subsequently upgrade customers on an impacted version (i.e., any managed Cassandra 4.0.1, 4.0.4, and 4.0.9). Apache Cassandra version 4.0.10 contains the fix and will soon be made available on the Instaclustr Managed Platform. If you have any questions, please get in contact with Instaclustr Support. 

Mitigation for customers on Cassandra 4.0.1, 4.0.4, or 4.0.9: 

  • For customers using the managed service the Instaclustr Support team will be in contact with you to schedule an upgrade of your managed Cassandra clusters to version 4.0.10. 
  • For support only customers, you will need to upgrade your Cassandra clusters to 4.0.10, but in the short term if is advisable to close any remote JMX access to your clusters. 

As a further mitigation step, we will immediately be marking managed Cassandra versions 4.0.1, 4.0.4, and 4.0.9 as Legacy Support prior to these versions being marked as End of Life on 31 July 2023 as per our lifecycle policy. 

As always, customers who want to take a more proactive stance should limit access to their managed Cassandra cluster to only trusted clients and ensure those clients are secure. This is always good security practice in any case. 

If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact Instaclustr Support. 

References: https://nvd.nist.gov/vuln/detail/CVE-2023-30601 

The post Security Advisory: CVE 2023-30601 Apache Cassandra® appeared first on Instaclustr.

Become part of our
growing community!
Welcome to Planet Cassandra, a community for Apache Cassandra®! We're a passionate and dedicated group of users, developers, and enthusiasts who are working together to make Cassandra the best it can be. Whether you're just getting started with Cassandra or you're an experienced user, there's a place for you in our community.
A dinosaur

What's New?

Events

Use Cases

Planet Cassandra is a service for the Apache Cassandra® user community to share with each other. From tutorials and guides, to discussions and updates, we're here to help you get the most out of Cassandra. Connect with us and become part of our growing community today.
© 2009-2023 The Apache Software Foundation under the terms of the Apache License 2.0. Apache, the Apache feather logo, Apache Cassandra, Cassandra, and the Cassandra logo, are either registered trademarks or trademarks of The Apache Software Foundation.

Get Involved with Planet Cassandra!

We believe that the power of the Planet Cassandra community lies in the contributions of its members. Do you have content, articles, videos, or use cases you want to share with the world?