Security Advisory for Apache Cassandra Vulnerabilities – CVE-2025-23015, CVE-2025-24860, and CVE-2024-27137
Issue Details
On 3 February 2025, multiple CVEs were reported by the Apache Cassandra project community. Although these vulnerabilities have yet to be assessed by NVD, NetApp commenced an investigation into their potential impact on our Instaclustr for Apache Cassandra® offering.
| CVE | Issue | Base CVSS v3.1 Score by NVD | Versions affected |
|---|---|---|---|
| CVE-2025-23015 | User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions. | Not yet assessed by NVD |
|
| CVE-2025-24860 | CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions. | Not yet assessed by NVD |
|
| CVE-2024-27137 | Apache Cassandra: unrestricted deserialization of JMX authentication credentials. | Not yet assessed by NVD |
|
Impact Analysis
NetApp performed an investigation into these vulnerabilities and their potential impact on Instaclustr Managed Platform customers. We found that two of the CVEs have no impact on the existing clusters in the Instaclustr environment. However, CVE-2025-23015 is considered an urgent priority for Instaclustr to fix. We have released the latest Cassandra versions 3.11.19, 4.0.17, 4.1.8, and 5.0.3, which contain the fixes for these vulnerabilities soon after their release by the Apache project. Please note that version 3.11.18, which includes a fix, introduces a significant performance regression. Therefore, we will not release version 3.11.18. Although version 4.0.16 was released during the same period, it does not contain the fix. Consequently, we will not release version 4.0.16 either.
We have assessed the severity ratings as follows:
| CVE | NetApp calculated CVSS v3.1 rating | NetApp resolution priority | Impact |
|---|---|---|---|
| CVE-2025-23015 | 7.4 (High) | Urgent | Allows users with MODIFY permission on ALL KEYSPACES to escalate their privileges to superuser. This means they can alter the system_auth keyspace, which manages authentication and authorization data, and gain full control over the Cassandra cluster. |
| CVE-2025-24860 | 0 | N/A* | No impact on the existing clusters on the Instaclustr platform.
Allows users to bypass network-based access controls using the CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. This flaw can enable unauthorized access to different datacenters or IP/CIDR groups. |
| CVE-2025-24860 | 0 | N/A* | No impact on the existing clusters on the Instaclustr platform.
Allows local attackers to manipulate the RMI registry and capture JMX authentication credentials. This can lead to unauthorized access to the system. |
* These vulnerabilities will be patched with CVE-2025-23015
More details on: CVE2025-23015
- This CVE identified an issue where a user with MODIFY permissions granted on the ALL KEYSPACES can also modify the system_auth keyspace, potentially escalating the privileges to that of a superuser within a specific Cassandra cluster. It is not a vulnerability that can be exploited across any cluster. The user must have the necessary permissions within the specific cluster to escalate their privileges.
- Privilege Escalation Risk: A user with MODIFY permissions on ALL KEYSPACES can gain unauthorized control by modifying the system_auth tables. This enables them to grant themselves superuser privileges.
- Control Over Cluster: With superuser access, the user could essentially gain full control over the Cassandra cluster, leading to significant security risks, including data breaches or malicious alterations of configurations.
Mitigation Approaches
Mitigation for all three CVEs listed can be addressed by upgrading your Cassandra version to the latest patched release of the respective major version, now available on the Instaclustr platform.
NetApp recommends the following actions for our customers:
Managed Service Customers
Upgrade to the latest patched Cassandra versions (available on the Instaclustr platform):
New Clusters
- Apache Cassandra project has released new versions – 3.11.19, 4.0.17, 4.18 and 5.0.3
- These versions include fixes for the above vulnerabilities.
For new clusters, use Cassandra 3.11.19, 4.0.17, 4.1.8, and 5.0.3 or later versions, depending on the major version you are using.
For Existing Clusters
To ensure these fixes are delivered to all affected clusters on our Managed Platform, our Support team will prioritize patching PCI-enabled clusters first, followed by non-PCI clusters. All clusters will be patched by April 3, 2025, with the following upgrades:
- Cassandra 3.11.x to 3.11.19
- Cassandra 4.0.x to 4.0.17
- Cassandra 4.1.x to 4.1.8
- Cassandra 5.0.x to 5.0.3
Our Support team will reach out to you shortly to schedule an upgrade.
Our Enterprise Support Customers
Upgrade to Cassandra version 3.11.19, 4.0.17, 4.1.8 or 5.0.3, depending on which major version you are using.
All Customers
- We recommend all customers review the access permissions to their Cassandra clusters to ensure access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage Cassandra users and firewall rules on our website.
- If you have granted data MODIFY permission on all keyspaces on any of the affected versions, please review your data access rules immediately to check for potential breaches.
- You can audit access to the system tables using the following command; this will display all users who could potentially exploit this CVE. You should revoke any non-super user access where appropriate.
Command: LIST MODIFY ON system_auth;
- You can audit access to the system tables using the following command; this will display all users who could potentially exploit this CVE. You should revoke any non-super user access where appropriate.
- If you are using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on any of the affected versions, please review your data access rules immediately to check for potential breaches.
Cassandra Version Support Lifecycle
Following the release of the latest patch versions on the Instaclustr Platform, the affected versions have immediately been transitioned to closed, only available for new deployments by exception to allow customers to transition their fleet to General Availability offerings. These affected versions will transition to Legacy Support on March 3rd, 2025. The Legacy Support state means that these versions will not be available for new deployments but will not yet have any SLA restrictions.
Due to the high severity of the CVE, on the 30th of April, we will again transition affected versions to End of Life. This will mean no new deployments, and these clusters will no longer be eligible for PCI compliance or Production SLAs. Read more about our lifecycle policies here.
| All affected versions have been closed and will transition to Legacy Support on 3rd March 2025 and then to End of Life on 30th April 2025. View the lifecycle state for all Cassandra versions here. |
If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact Instaclustr Support.
References
By Instaclustr Support