CVE-2024-37309: CrateDB is a distributed SQL database. A high-risk vulnerability has been identified in versions prior to 5.7.2 where the TLS endpoint (port 4200) per...

Description

CrateDB is a distributed SQL database. A high-risk vulnerability has been identified in versions prior to 5.7.2 where the TLS endpoint (port 4200) permits client-initiated renegotiation. In this scenario, an attacker can exploit this feature to repeatedly request renegotiation of security parameters during an ongoing TLS session. This flaw could lead to excessive consumption of CPU resources, resulting in potential server overload and service disruption. The vulnerability was confirmed using an openssl client where the command `R` initiates renegotiation, followed by the server confirming with `RENEGOTIATING`. This vulnerability allows an attacker to perform a denial of service attack by exhausting server CPU resources through repeated TLS renegotiations. This impacts the availability of services running on the affected server, posing a significant risk to operational stability and security. TLS 1.3 explicitly forbids renegotiation, since it closes a window of opportunity for an attack. Version 5.7.2 of CrateDB contains the fix for the issue.

Metrics

CVSS 3.1

5.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Probability

0.70%

48.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-770

Affected Software

Vendor	Product	Versions
Cratedb	Cratedb	< 5.7.2

References

https://cratedb.com/docs/crate/reference/en/latest/appendices/release-notes/5.7.2.htmlRelease Notes
https://github.com/crate/crate/commit/1dde03bdf031a20886065195527e368e4a3218b3Patch
https://github.com/crate/crate/security/advisories/GHSA-x268-qpg6-w9g2Exploit, Vendor Advisory
https://cratedb.com/docs/crate/reference/en/latest/appendices/release-notes/5.7.2.htmlRelease Notes
https://github.com/crate/crate/commit/1dde03bdf031a20886065195527e368e4a3218b3Patch
https://github.com/crate/crate/security/advisories/GHSA-x268-qpg6-w9g2Exploit, Vendor Advisory

Timeline

Published: Jun 13, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-37309?

CrateDB is a distributed SQL database. A high-risk vulnerability has been identified in versions prior to 5.7.2 where the TLS endpoint (port 4200) permits client-initiated renegotiation. In this scenario, an attacker can exploit this feature to repeatedly request renegotiation of security parameters during an ongoing TLS session. This flaw could lead to excessive consumption of CPU resources, resulting in potential server overload and service disruption. The vulnerability was confirmed using an openssl client where the command `R` initiates renegotiation, followed by the server confirming with `RENEGOTIATING`. This vulnerability allows an attacker to perform a denial of service attack by exhausting server CPU resources through repeated TLS renegotiations. This impacts the availability of services running on the affected server, posing a significant risk to operational stability and security. TLS 1.3 explicitly forbids renegotiation, since it closes a window of opportunity for an attack. Version 5.7.2 of CrateDB contains the fix for the issue.

How severe is CVE-2024-37309?

CVE-2024-37309 has a CVSS score of 5.3/10 (MEDIUM severity). The EPSS model estimates a 0.70% probability of exploitation in the next 30 days.

How do I fix CVE-2024-37309?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.