CVE-2020-35211

Vulnerability

CVE-2020-35211 affects Atomix v3.1.5, a Kubernetes toolkit for building distributed applications. The vulnerability resides in the Raft consensus implementation, specifically in the handling of terms within the RaftContext. An unauthorized node can manipulate these terms to become the leader of a target cluster. The exact code path requires the attacker to have network access to the cluster and the ability to send crafted Raft messages.

Exploitation

An attacker must be able to join the Atomix cluster as an unauthorized node or inject messages into the Raft communication. By manipulating the terms variable in RaftContext, the attacker can force a leadership election in their favor. No authentication or prior privileges are required beyond network access to the cluster's Raft port.

Impact

Successful exploitation allows the attacker to become the leader node of the Atomix cluster. As leader, the attacker can control the cluster's state machine, potentially leading to data corruption, denial of service, or further compromise of applications relying on Atomix primitives. The integrity and availability of the cluster are directly impacted.

Mitigation

As of the publication date (2021-12-16), no official patch or workaround has been disclosed in the available references [1]. Users should monitor the Atomix project repository [2] for updates. If possible, restrict network access to the Raft port and ensure only trusted nodes can join the cluster. Upgrading to a newer version, if available, is recommended.