Header Injection in Cassandra

Cassandra's architecture exposes two primary network interfaces that are susceptible to header injection: the Thrift Interface (legacy) and the Native Transport (CQL). Both accept protocol-level headers that, if improperly validated by a client or intermediary, can be manipulated to alter request semantics or trigger unintended server behavior.

Thrift Protocol Header Manipulation: The Thrift interface (binary协议) uses a compact protocol with method name and message type headers. An attacker can inject malicious method names or sequence IDs if the client library fails to sanitize these fields. For example, CVE-2021-29244 highlighted a deserialization vulnerability in the Thrift interface where crafted headers could lead to arbitrary code execution via unsafe object deserialization. An attacker controlling a header like message_type or method_name could potentially bypass authentication checks or invoke unintended internal methods.

CQL Frame Header Exploitation: The native CQL protocol (v4 and v5) uses frame headers containing flags, stream IDs, and opcodes. Injection here often involves manipulating the flags byte or opcode to alter query execution context. For instance, setting the DEFAULT flag incorrectly or injecting a PREPARE opcode in a QUERY stream could cause the server to prepare a statement without proper authorization checks. This is particularly dangerous when combined with Authentication failures (CASSANDRA-14764), where malformed headers might bypass the authenticator stage.

Real-World Attack Pattern: A typical attack against a Cassandra cluster exposed via an application proxy might involve: 1) Intercepting a legitimate CQL QUERY frame, 2) Modifying the stream_id to match an existing authenticated session, 3) Changing the opcode to EXECUTE to run a prepared statement from the victim's session, effectively achieving Horizontal Privilege Escalation (BOLA). This maps directly to OWASP API Top 10: API1:2023 – Broken Object Level Authorization.

Detecting header injection vulnerabilities in Cassandra requires active probing of the API endpoint (Thrift port 9160 or CQL native port 9042) with malformed headers and analyzing the server's response patterns. middleBrick automates this as part of its Input Validation and Authentication security checks.

The scanner sends a sequence of crafted requests: 1) A valid CQL QUERY with a known harmless statement (e.g., SELECT release_version FROM system.local), 2) The same request with an invalid opcode in the frame header, 3) Requests with oversized stream_id values or negative lengths, 4) Thrift requests with non-ASCII method_name bytes. It then evaluates responses for: unexpected ERROR codes (e.g., PROTOCOL_ERROR vs UNAUTHORIZED), timing differences indicating processing of malformed headers, or error messages that leak internal state (e.g., Invalid header byte vs generic Authentication failed).

For example, if injecting a PREPARE opcode into a QUERY frame returns a PREPARED response instead of an error, it indicates the server processed the opcode without validating the stream's authorization context—a clear header injection flaw. middleBrick's report will assign an Input Validation score and provide a prioritized finding with severity (Critical/High/Medium/Low) and remediation guidance specific to Cassandra configuration.

You can scan a Cassandra CQL endpoint directly from the terminal:

middlebrick scan cassandra.example.com:9042

Or integrate it into CI/CD to catch regressions before deployment:

uses: middlebrick/action@v1
with:
  api_url: ${{ env.CASSANDRA_ENDPOINT }}
  fail_below_score: 80

The scan takes 5–15 seconds and requires no credentials, testing the unauthenticated attack surface exactly as an external attacker would.

Remediation requires defense-in-depth: configuration hardening, network controls, and strict client-side validation. Cassandra provides native mechanisms to mitigate header injection.

1. Enforce Strict Protocol Validation (cassandra.yaml)

Disable legacy Thrift if unused. For CQL, ensure the native transport only accepts protocol versions your clients support. In cassandra.yaml:

start_native_transport: true
native_transport_port: 9042
# Restrict to CQL v4+ (v5 is default in 4.0+)
native_transport_max_frame_size_in_mb: 256
# Reject frames with invalid headers early

Set native_transport_max_frame_size_in_mb to a reasonable limit (default 256MB) to prevent oversized header attacks. While not directly fixing injection, it limits blast radius.

2. Enable Authentication and Authorizer

Always enable authenticator and authorizer. The PasswordAuthenticator validates credentials at the connection stage, but also integrates with the CQL protocol handler to reject unauthorized frame types early. In cassandra.yaml:

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

This ensures that even if a header is manipulated to change opcodes, the server will still verify the authenticated session's permissions before executing any operation.

3. Network-Level Segmentation

Use firewall rules (e.g., iptables or cloud security groups) to restrict access to ports 9042/9160 only to known application servers. This reduces the attack surface for unauthenticated header injection. Example iptables rule:

iptables -A INPUT -p tcp --dport 9042 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 9042 -j DROP

4. Client-Side Validation (Java Example)

If you build custom Cassandra clients, validate all protocol fields before sending. Using the DataStax Java driver:

import com.datastax.oss.driver.api.core.CqlSession;
import com.datastax.oss.driver.api.core.cql.SimpleStatement;

// Never construct frames manually; use driver's built-in methods
SimpleStatement stmt = SimpleStatement.builder("SELECT * FROM ks.tbl")
    .setConsistencyLevel(ConsistencyLevel.LOCAL_QUORUM)
    .build();

// The driver handles protocol encoding safely; avoid raw ByteBuf manipulation
session.execute(stmt);

Avoid using low-level Thrift APIs (org.apache.cassandra.thrift) unless absolutely necessary. If you must, sanitize all method_name and message_type inputs against a strict allowlist.

5. Upgrade and Patch

Regularly upgrade Cassandra to incorporate fixes for known header injection vulnerabilities (e.g., CVE-2021-29244 was fixed in Apache Cassandra 4.0.1, 3.11.11, 3.0.22). Monitor the Cassandra security announcements.

middleBrick's remediation guidance in its reports will map these findings to specific cassandra.yaml settings and reference relevant CVEs, helping prioritize fixes.