Security Misconfiguration in Cassandra
How Security Misconfiguration Manifests in Cassandra
Apache Cassandra is a distributed NoSQL database that, by default, ships with a permissive configuration aimed at ease of use. When these defaults are left unchanged in production, attackers can exploit several well‑documented misconfigurations to gain unauthorized access, exfiltrate data, or disrupt service.
| Misconfiguration | Typical Impact |
|---|---|
| Authentication disabled (authenticator: AllowAllAuthenticator) | Any client can connect to the CQL binary protocol (port 9042) and execute arbitrary queries. |
| Authorization disabled (authorizer: AllowAllAuthorizer) | Authenticated users can perform administrative operations such as dropping keyspaces or modifying schema. |
| Transport encryption not enabled (SSL/TLS off) | Credentials and query data travel in clear text, enabling man‑in‑the‑middle interception. |
| JMX exposed on all interfaces without authentication (com.sun.management.jmxremote.port) | Attackers can use JConsole or jcmd to read cluster metrics, trigger nodetool commands, or disable nodes. |
| Thrift interface left open (port 9160) with no auth | Legacy clients can bypass newer security controls and issue CQL‑like requests. |
| Default superuser credentials (cassandra/cassandra) unchanged | Attackers guess or brute‑force the well‑known admin account. |
These issues map directly to OWASP API Security Top 10 M6: Security Misconfiguration and have been observed in real‑world breaches such as CVE‑2021‑32761 (unauthenticated JMX access leading to remote code execution) and CVE‑2020‑13942 (exposed Thrift service allowing data exfiltration).
Cassandra-Specific Detection
middleBrick performs unauthenticated black‑box checks against the network services Cassandra exposes. Because no agents or credentials are required, the scanner simply targets the host and port you provide and evaluates the following:
- CQL binary protocol (default 9042) – attempts a connection without credentials; success indicates authentication is disabled.
- Thrift interface (default 9160) – same unauthenticated connect test.
- JMX agent (default 7199) – checks if the JMX service responds and whether it requires authentication.
- SSL/TLS enforcement – probes the port with a TLS handshake; lack of encryption flags a missing transport security configuration.
- Default credentials – if authentication is enabled, tries the well‑known
cassandra/cassandrapair.
The scanner runs these checks in parallel and returns a consolidated risk score (A–F) with a per‑category breakdown. For example, a scan that finds an open CQL port with no auth and no TLS will likely land in the “F” range, highlighting the Security Misconfiguration category.
You can initiate a scan from the CLI:
# Install the middleBrick CLI (npm)
npm i -g middlebrick
# Scan a Cassandra node (replace with your host)
middlebrick scan cassandra-prod.example.com:9042
The output includes a JSON payload you can pipe into CI/CD pipelines or store for trend analysis via the Dashboard.
Cassandra-Specific Remediation
Remediation focuses on tightening the configuration files (cassandra.yaml) and, where applicable, adjusting JVM startup options. All changes require a rolling restart of the cluster.
Enable Authentication and Authorization
# cassandra.yaml
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
After changing these settings, create a superuser account (if not already present) and set a strong password:
cqlsh -u cassandra -p cassandra
ALTER USER cassandra WITH PASSWORD 'Strong!Passw0rd';
CREATE ROLE IF NOT EXISTS app_user WITH PASSWORD = 'AppPass!23' AND LOGIN = TRUE;
GRANT ALL PERMISSIONS ON KEYSPACE my_keyspace TO app_user;
Encrypt Client‑to‑Node Traffic
# cassandra.yaml
server_encryption_options:
internode_encryption: all
keystore: conf/.keystore
keystore_password: cassandra
truststore: conf/.truststore
truststore_password: cassandra
protocol: TLS
algorithm: SunX509
store_type: JKS
require_client_auth: false
client_encryption_options:
enabled: true
keystore: conf/.keystore
keystore_password: cassandra
require_client_auth: false
Generate the keystore/truststore using keytool or your organization’s PKI.
Secure JMX
Either bind JMX to localhost only or enable authentication:
# jvm.options (or cassandra-env.sh)
-Dcom.sun.management.jmxremote.port=7199
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=false
-Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access
Restrict the password and access files to the Cassandra user (chmod 600).
Disable Unneeded Interfaces
If you do not use Thrift, set:
# cassandra.yaml
start_rpc: false
After applying the changes, validate the configuration with a quick middleBrick scan; the score should improve (e.g., from F to C or better) and the report will show the specific findings resolved.
Frequently Asked Questions
Does middleBrick need any credentials to scan a Cassandra instance?
cassandra.example.com:9042). It will test for missing authentication, missing TLS, and default credentials without requiring any prior access.