CVE-2022-29240 : What You Need to Know
Learn about CVE-2022-29240 affecting Scylla, enabling attackers to bypass authentication through uninitialized memory read in LZ4 decompression. Mitigate risks with immediate steps and long-term security practices.
A security vulnerability, tracked as CVE-2022-29240, has been identified in Scylla, a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. The vulnerability allows attackers to exploit uninitialized memory read during LZ4 decompression, leading to authentication bypass and sensitive information disclosure in Scylla.
Understanding CVE-2022-29240
This section delves into the details of the CVE-2022-29240 vulnerability in Scylla.
What is CVE-2022-29240?
When decompressing CQL frames received from users, Scylla incorrectly assumes the user-provided uncompressed length is correct. If a fake length, greater than the real one, is provided, part of the decompression buffer remains uninitialized. This could be exploited for authentication bypass and unauthorized access to sensitive data.
The Impact of CVE-2022-29240
The vulnerability poses a high severity threat with a CVSS base score of 8.1. It allows attackers to bypass authentication and access uninitialized memory containing sensitive information, such as passwords and queries/results.
Technical Details of CVE-2022-29240
In this section, we explore the technical aspects of the CVE-2022-29240 vulnerability in Scylla.
Vulnerability Description
The issue stems from an incorrect assumption made during CQL frame decompression, leading to uninitialized memory regions that can be leveraged by attackers to bypass authentication and access confidential data.
Affected Systems and Versions
Scylla versions prior to 4.6.7 and between 5.0.0 and 5.0.3 are affected by this vulnerability. Users of these versions are at risk of exploitation if proper mitigations are not applied.
Exploitation Mechanism
By manipulating the uncompressed length provided during CQL frame decompression, attackers can bypass authentication mechanisms and gain unauthorized access to sensitive information within Scylla.
Mitigation and Prevention
Protecting systems from the CVE-2022-29240 vulnerability requires immediate action and long-term security practices.
Immediate Steps to Take
Users should upgrade to the patched versions of Scylla Enterprise (2020.1.14, 2021.1.12, 2022.1.0) or Scylla Open Source (4.6.7, 5.0.3). Additionally, ensure that drivers do not use LZ4 compression when connecting to the cluster and restrict access to the Scylla CQL port behind a firewall.
Long-Term Security Practices
To prevent future vulnerabilities, establish strict authentication measures, apply security workarounds, and monitor access to prevent unauthorized connections to the Scylla database.
Patching and Updates
Regularly check for security updates and patches for Scylla to maintain a secure and protected environment for your data.