The ScyllaDB team announces ScyllaDB Enterprise 2021.1.12 and 2020.1.14, a security bug-fix production-ready ScyllaDB Enterprise patch release for Scylla Enterprise 2021.1 and Scylla Enterprise 2020.1, respectively. Note that ScyllaDB 2022.1 is also available and users are encouraged to update to the latest 2022.1 maintenance release.
As always, ScyllaDB Enterprise customers are encouraged to upgrade in coordination with the ScyllaDB support team.
The release includes a fix for a security vulnerability.
During internal fuzz-testing performed by the ScyllaDB R&D team, we identified a vulnerability in the CQL implementations which you should be aware of and act accordingly.
We have no evidence this vulnerability was ever exploited.
The vulnerability may allow an attacker to:
- Bypass authentication
- Exfiltrate passwords of other accounts
- Read uninitialized memory
For more information and workaround see ScyllaDB Security Advisory SDBA-2022-0001 (high severity).
It is highly recommended to follow ScyllaDB and ScyllaDB Cloud’s security checklist, and in particular, limit the exposure of a cluster to the public Internet.