Security controls bypass or absence In com.instaclustr:cassandra-lucene-index-plugin
Description
Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC Summary / Details Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges.
Affected Versions
Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0
versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x.
Required Configuration for Exploit These are the conditions required to enable exploit:
Cassandra 4.x
Vulnerable version of the Cassandra-Lucene-Index plugin configured for use
Data added to tables
Lucene index created
Cassandra flush has run
Mitigation/Prevention Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.
Solution
Upgrade to a fixed version of the Cassandra-Lucene-Index plugin.
Review users in Cassandra to validate all superuser privileges.
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | 4.0.17-1.0.0, 4.1.8-1.0.1 |
Aliases
References