-
Threat: Unauthorized Data Access via Default Credentials
- Description: Attacker attempts to connect to the Cassandra cluster using default credentials (e.g.,
cassandra/cassandra) that have not been changed after installation. The attacker gains full administrative access. - Impact: Complete data breach; attacker can read, modify, or delete all data within the cluster. Potential for complete system compromise.
- Affected Component:
Authenticator(specifically, the defaultPasswordAuthenticatorif not configured properly), CQL interface. - Risk Severity: Critical
- Mitigation Strategies:
- Immediately change default credentials upon installation.
- Enforce strong password policies.
- Consider using a more robust authentication mechanism (LDAP, Kerberos).
- Description: Attacker attempts to connect to the Cassandra cluster using default credentials (e.g.,
-
Threat: Unauthorized Data Access via Disabled Authentication
- Description: Attacker connects to the Cassandra cluster, which has authentication disabled entirely (
authenticator: AllowAllAuthenticatorincassandra.yaml). - Impact: Complete data breach; attacker can read, modify, or delete all data.
- Affected Component:
Authenticator(specifically,AllowAllAuthenticator), CQL interface. - Risk Severity: Critical
- Mitigation Strategies:
- Never use
AllowAllAuthenticatorin a production environment. - Enable authentication using
PasswordAuthenticator, LDAP, or Kerberos.
- Never use
- Description: Attacker connects to the Cassandra cluster, which has authentication disabled entirely (
-
Threat: Unauthorized Data Access via Weakly Configured RBAC
- Description: Attacker gains access to a Cassandra user account with overly permissive roles. For example, a user intended for read-only access has been granted write or even superuser privileges.
- Impact: Data breach or modification; attacker can access or modify data beyond their intended authorization level.
- Affected Component:
Authorizer(specifically, the configuredCassandraAuthorizerand its role/permission assignments), CQL interface. - Risk Severity: High
- Mitigation Strategies:
- Implement the principle of least privilege: grant users only the minimum necessary permissions.
- Regularly audit user roles and permissions.
- Use specific roles for different application components and users.
-
Threat: Network Sniffing of Unencrypted Client-to-Node Traffic
- Description: Attacker intercepts network traffic between the application (client) and the Cassandra nodes. If this traffic is unencrypted, the attacker can capture sensitive data, including credentials and query results.
- Impact: Data breach; attacker can eavesdrop on all data exchanged between the client and the cluster.
- Affected Component: Client-to-node communication protocol (CQL binary protocol), network layer.
- Risk Severity: High
- Mitigation Strategies:
- Enable client-to-node encryption using TLS/SSL in
cassandra.yaml(client_encryption_options). - Configure the application's Cassandra driver to use TLS/SSL and validate server certificates.
- Use strong cipher suites.
- Enable client-to-node encryption using TLS/SSL in
-
Threat: Network Sniffing of Unencrypted Node-to-Node Traffic
- Description: Attacker intercepts network traffic between Cassandra nodes within the cluster. If this traffic is unencrypted (e.g., during replication), the attacker can capture sensitive data.
- Impact: Data breach; attacker can eavesdrop on data replicated between nodes.
- Affected Component: Internode communication protocol, network layer.
- Risk Severity: High
- Mitigation Strategies:
- Enable node-to-node encryption using TLS/SSL in
cassandra.yaml(server_encryption_options). - Use strong cipher suites.
- Consider network segmentation to isolate inter-node traffic.
- Enable node-to-node encryption using TLS/SSL in
-
Threat: NoSQL Injection via Unsanitized Input
- Description: Attacker crafts malicious input that, when used to construct CQL queries, allows them to bypass intended access controls or execute unintended commands. This is less common than SQL injection but still possible.
- Impact: Data breach, data modification, or denial of service, depending on the specific injection.
- Affected Component: Application code that constructs CQL queries, CQL interface.
- Risk Severity: High
- Mitigation Strategies:
- Use parameterized queries (prepared statements) exclusively for all data input.
- Validate and sanitize all user input, even if not directly used in a query.
- Avoid dynamic CQL query construction whenever possible.
-
Threat: Exploitation of Known Cassandra Vulnerabilities
- Description: Attacker exploits a known vulnerability in a specific version of Cassandra (e.g., a CVE) to gain unauthorized access, cause a denial of service, or execute arbitrary code.
- Impact: Varies depending on the vulnerability; could range from data breach to complete system compromise.
- Affected Component: Varies depending on the vulnerability; could be any part of Cassandra.
- Risk Severity: High (or Critical, depending on the CVE)
- Mitigation Strategies:
- Stay up-to-date with Cassandra security advisories.
- Patch Cassandra to the latest stable version promptly after security releases.
- Perform regular vulnerability scanning.
-
Threat: Unauthorized Access via Unsecured JMX
- Description: Attacker connects to the Cassandra JMX interface, which is exposed without proper authentication or authorization. The attacker can then access sensitive information or potentially execute arbitrary code.
- Impact: Data breach, potential for remote code execution, cluster misconfiguration.
- Affected Component: JMX interface,
cassandra-env.sh(JMX configuration). - Risk Severity: High
- Mitigation Strategies:
- Require authentication for JMX access (configure
JVM_OPTSincassandra-env.sh). - Restrict JMX access to specific IP addresses or networks.
- Use SSL/TLS for JMX communication.
- Disable JMX if it's not absolutely necessary.
- Require authentication for JMX access (configure