Mitigation for TLS renegotiation Vulnerability

Baur · June 24, 2024, 12:55pm

CrateDB versions earlier than 5.7.2 are exposed to the client initiated renegotiation vulnerability.

We have released CrateDB 5.7.2 with TLS renegotiation disabled by default.

To mitigate this issue on earlier versions, please use flag rejectClientInitiatedRenegotiation.

If you use tarball distribution, use CRATE_JAVA_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true" ./bin/crate
If you run CrateDB on Docker, add --env CRATE_JAVA_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true" to your docker run command.
If you use package-based setup, add
CRATE_JAVA_OPTS="-Djdk.tls.rejectClientInitiatedRenegotiation=true"
to the /etc/default/crate file. See also Configuration Settings — CrateDB: Guide

Topic		Replies	Views
Mitigations for Reported Vulnerability Community	9	490	December 27, 2023
Unable to enable node-to-node encryption CrateDB	16	995	June 3, 2022
Security Vulnerability - Log4Shell RCE 0-day exploit CrateDB	11	2570	January 25, 2022
Community Edition 4.0.4 CrateDB	2	1345	September 23, 2019
Comunity license switch CrateDB	8	1862	January 22, 2020