nvd-json-data-feeds/CVE-2022/CVE-2022-292xx/CVE-2022-29240.json

{
  "id": "CVE-2022-29240",
  "sourceIdentifier": "security-advisories@github.com",
  "published": "2022-09-15T22:15:11.220",
  "lastModified": "2022-09-21T14:17:44.350",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part of decompression buffer won't be overwritten, and will be left uninitialized. This can be exploited in several ways, depending on the privileges of the user. 1. The main exploit is that an attacker with access to CQL port, but no user account, can bypass authentication, but only if there are other legitimate clients making connections to the cluster, and they use LZ4. 2. Attacker that already has a user account on the cluster can read parts of uninitialized memory, which can contain things like passwords of other users or fragments of other queries / results, which leads to authorization bypass and sensitive information disclosure. The bug has been patched in the following versions: Scylla Enterprise: 2020.1.14, 2021.1.12, 2022.1.0. Scylla Open Source: 4.6.7, 5.0.3. Users unable to upgrade should make sure none of their drivers connect to cluster using LZ4 compression, and that Scylla CQL port is behind firewall. Additionally make sure no untrusted client can connect to Scylla, by setting up authentication and applying workarounds from previous point (firewall, no lz4 compression)."
    },
    {
      "lang": "es",
      "value": "Scylla es una base de datos de big data en tiempo real que es compatible con la API de Apache Cassandra y Amazon DynamoDB. Cuando es descomprimida la trama CQL recibida del usuario, Scylla asume que la longitud sin comprimir proporcionada por el usuario es correcta. Si el usuario proporciona una longitud falsa, que es mayor que la real, parte del b\u00fafer de descompresi\u00f3n no ser\u00e1 sobrescrita, y ser\u00e1 dejada sin inicializar. Esto puede ser explotado de varias maneras, dependiendo de los privilegios del usuario. 1. La principal explotaci\u00f3n es que un atacante con acceso al puerto CQL, pero sin cuenta de usuario, puede omitir la autenticaci\u00f3n, pero s\u00f3lo si se presentan otros clientes leg\u00edtimos haciendo conexiones al cl\u00faster, y usan LZ4. 2. El atacante que ya presenta una cuenta de usuario en el cl\u00faster puede leer partes de la memoria no inicializada, que pueden contener cosas como contrase\u00f1as de otros usuarios o fragmentos de otras consultas/resultados, lo que conlleva a omitir la autorizaci\u00f3n y revelar informaci\u00f3n confidencial. El bug ha sido parcheado en las siguientes versiones: Scylla Enterprise: 2020.1.14, 2021.1.12, 2022.1.0. Scylla Open Source: 4.6.7, 5.0.3. Los usuarios que no puedan actualizar deben asegurarse de que ninguno de sus controladores sean conectados al cl\u00faster usando la compresi\u00f3n LZ4, y que el puerto CQL de Scylla est\u00e1 detr\u00e1s del firewall. Adem\u00e1s, aseg\u00farese de que ning\u00fan cliente no confiable pueda conectarse a Scylla, al configurar la autenticaci\u00f3n y aplicando las mitigaciones del punto anterior (firewall, sin compresi\u00f3n LZ4)"
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9
      },
      {
        "source": "security-advisories@github.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH",
          "baseScore": 8.1,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "security-advisories@github.com",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-908"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:scylladb:scylla:*:*:*:*:open_source:*:*:*",
              "versionEndExcluding": "4.6.7",
              "matchCriteriaId": "62049391-A8C3-4963-B692-B9D0EBD24754"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:scylladb:scylla:*:*:*:*:enterprise:*:*:*",
              "versionEndExcluding": "2020.1.14",
              "matchCriteriaId": "3D30E6EF-8EDA-467A-B467-0DD00916F5BE"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:scylladb:scylla:*:*:*:*:open_source:*:*:*",
              "versionStartIncluding": "5.0.0",
              "versionEndExcluding": "5.0.3",
              "matchCriteriaId": "3BD1B169-D009-459A-AA09-60835C7712EA"
            },
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:scylladb:scylla:*:*:*:*:enterprise:*:*:*",
              "versionStartIncluding": "2021.1.0",
              "versionEndExcluding": "2021.1.12",
              "matchCriteriaId": "25942345-FCBA-4788-B0CA-4E6C247C9862"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/scylladb/scylla/security/advisories/GHSA-25pq-rrqm-6fmr",
      "source": "security-advisories@github.com",
      "tags": [
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/scylladb/scylladb/commit/1c2eef384da439b0457b6d71c7e37d7268e471cb",
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://github.com/scylladb/scylladb/issues/11476",
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ]
    }
  ]
}