Mitigation for TLS renegotiation Vulnerability

Baur · June 24, 2024, 12:55pm

CrateDB versions earlier than 5.7.2 are exposed to the client initiated renegotiation vulnerability.

We have released CrateDB 5.7.2 with TLS renegotiation disabled by default.

To mitigate this issue on earlier versions, please use flag rejectClientInitiatedRenegotiation.

If you use tarball distribution, use CRATE_JAVA_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true" ./bin/crate
If you run CrateDB on Docker, add --env CRATE_JAVA_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true" to your docker run command.
If you use package-based setup, add
CRATE_JAVA_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true"
to the /etc/default/crate file. See also Configuration Settings — CrateDB: Guide

Topic		Replies	Views
Security Vulnerability - Log4Shell RCE 0-day exploit CrateDB	11	2610	January 25, 2022
Cannot start crateDB service CrateDB	1	992	May 28, 2020
Connection reset by peer issue with cratedb cluster CrateDB	1	1211	June 24, 2019
Mitigations for Reported Vulnerability Community	9	509	December 27, 2023
Encrypted inter-node communication port CrateDB	3	783	January 16, 2020