CVE-2022-29240
Uninitialized memory read in LZ4 decompression leads to authentication bypass in Scylla
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part of decompression buffer won't be overwritten, and will be left uninitialized. This can be exploited in several ways, depending on the privileges of the user. 1. The main exploit is that an attacker with access to CQL port, but no user account, can bypass authentication, but only if there are other legitimate clients making connections to the cluster, and they use LZ4. 2. Attacker that already has a user account on the cluster can read parts of uninitialized memory, which can contain things like passwords of other users or fragments of other queries / results, which leads to authorization bypass and sensitive information disclosure. The bug has been patched in the following versions: Scylla Enterprise: 2020.1.14, 2021.1.12, 2022.1.0. Scylla Open Source: 4.6.7, 5.0.3. Users unable to upgrade should make sure none of their drivers connect to cluster using LZ4 compression, and that Scylla CQL port is behind firewall. Additionally make sure no untrusted client can connect to Scylla, by setting up authentication and applying workarounds from previous point (firewall, no lz4 compression).
Scylla es una base de datos de big data en tiempo real que es compatible con la API de Apache Cassandra y Amazon DynamoDB. Cuando es descomprimida la trama CQL recibida del usuario, Scylla asume que la longitud sin comprimir proporcionada por el usuario es correcta. Si el usuario proporciona una longitud falsa, que es mayor que la real, parte del búfer de descompresión no será sobrescrita, y será dejada sin inicializar. Esto puede ser explotado de varias maneras, dependiendo de los privilegios del usuario. 1. La principal explotación es que un atacante con acceso al puerto CQL, pero sin cuenta de usuario, puede omitir la autenticación, pero sólo si se presentan otros clientes legítimos haciendo conexiones al clúster, y usan LZ4. 2. El atacante que ya presenta una cuenta de usuario en el clúster puede leer partes de la memoria no inicializada, que pueden contener cosas como contraseñas de otros usuarios o fragmentos de otras consultas/resultados, lo que conlleva a omitir la autorización y revelar información confidencial. El bug ha sido parcheado en las siguientes versiones: Scylla Enterprise: 2020.1.14, 2021.1.12, 2022.1.0. Scylla Open Source: 4.6.7, 5.0.3. Los usuarios que no puedan actualizar deben asegurarse de que ninguno de sus controladores sean conectados al clúster usando la compresión LZ4, y que el puerto CQL de Scylla está detrás del firewall. Además, asegúrese de que ningún cliente no confiable pueda conectarse a Scylla, al configurar la autenticación y aplicando las mitigaciones del punto anterior (firewall, sin compresión LZ4)
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-04-13 CVE Reserved
- 2022-09-15 CVE Published
- 2024-05-06 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-908: Use of Uninitialized Resource
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| https://github.com/scylladb/scylla/security/advisories/GHSA-25pq-rrqm-6fmr | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/scylladb/scylladb/commit/1c2eef384da439b0457b6d71c7e37d7268e471cb | 2022-09-21 | |
| https://github.com/scylladb/scylladb/issues/11476 | 2022-09-21 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Scylladb Search vendor "Scylladb" | Scylla Search vendor "Scylladb" for product "Scylla" | < 4.6.7 Search vendor "Scylladb" for product "Scylla" and version " < 4.6.7" | open_source |
Affected
| ||||||
| Scylladb Search vendor "Scylladb" | Scylla Search vendor "Scylladb" for product "Scylla" | < 2020.1.14 Search vendor "Scylladb" for product "Scylla" and version " < 2020.1.14" | enterprise |
Affected
| ||||||
| Scylladb Search vendor "Scylladb" | Scylla Search vendor "Scylladb" for product "Scylla" | >= 5.0.0 < 5.0.3 Search vendor "Scylladb" for product "Scylla" and version " >= 5.0.0 < 5.0.3" | open_source |
Affected
| ||||||
| Scylladb Search vendor "Scylladb" | Scylla Search vendor "Scylladb" for product "Scylla" | >= 2021.1.0 < 2021.1.12 Search vendor "Scylladb" for product "Scylla" and version " >= 2021.1.0 < 2021.1.12" | enterprise |
Affected
| ||||||