[jira] [Updated] (CASSANDRA-21231) Authenticated DoS via `CREATE ROLE ... WITH HASHED PASSWORD`

Tue, 17 Mar 2026 23:47:15 -0700 


     [ 
https://issues.apache.org/jira/browse/CASSANDRA-21231?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Cyl updated CASSANDRA-21231:
----------------------------
    Component/s: Feature/Authorization
                 Feature/Rate Limiting
         Labels: dos performance security  (was: )

> Authenticated DoS via `CREATE ROLE ... WITH HASHED PASSWORD`
> ------------------------------------------------------------
>
>                 Key: CASSANDRA-21231
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-21231
>             Project: Apache Cassandra
>          Issue Type: Bug
>          Components: Feature/Authorization, Feature/Rate Limiting
>            Reporter: Cyl
>            Priority: Normal
>              Labels: dos, performance, security
>
> # Authenticated DoS via `CREATE ROLE ... WITH HASHED PASSWORD`
> ## 1. Vulnerability Description
> **Name**: Authenticated DoS via `CREATE ROLE ... WITH HASHED PASSWORD`
> **Overview**:
> Similar to the `ALTER ROLE` vulnerability, the `CREATE ROLE` statement also 
> supports the `HASHED PASSWORD` option. When a user with `CREATE` permission 
> (on `ALL ROLES` or `RoleResource.root()`) executes a `CREATE ROLE` statement 
> with a high-cost bcrypt hash, the server performs the validation 
> synchronously on the request thread.
> This allows an attacker with role creation privileges to exhaust the request 
> executor thread pool by sending multiple concurrent `CREATE ROLE` requests 
> with high-cost hashes, leading to a denial of service.
> **Affected Configurations**:
> - Clusters running `PasswordAuthenticator`.
> - Users with `CREATE` permission on roles.
> **Impact**:
> - Complete denial of service.
> - The server becomes unresponsive to all CQL requests.
> ## 2. Proof-of-Concept
> The file `poc_create_role_dos.py` demonstrates the attack:
> 1.  Start a Cassandra instance.
> 2.  Create a regular user `attacker_creator` and grant `CREATE ON ALL ROLES` 
> to them.
> 3.  Launch 50 concurrent threads that run `CREATE ROLE <random_name> WITH 
> HASHED PASSWORD '<high_cost_hash>'`.
> 4.  Monitor the latency of a simple `SELECT now()` query.
> **Observed Output**:
> ```
> [Victim] Query latency: 0.1089s
> ...
> [Victim] Query failed/timed out: ...
> ```
> The server becomes unresponsive.
> ## 3. Problematic Code Reference
> In `src/java/org/apache/cassandra/cql3/statements/CreateRoleStatement.java`:
> ```java
>     public void validate(ClientState state) throws RequestValidationException
>     {
>         opts.validate(); // Calls RoleOptions.validate() -> BCrypt.checkpw
>         // ...
>     }
> ```
> ## 4. Recommended Fixes
> The fix is the same as for `ALTER ROLE`:
> 1.  **Limit Cost Factor**: Enforce a maximum allowed cost factor for 
> `HASHED_PASSWORD` in `RoleOptions.validate()`.
> 2.  **Offload Validation**: Perform the validation on a separate thread pool.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to