CVE-2020-35216

Vulnerability

This vulnerability affects Atomix v3.1.5, a cloud-native runtime for building distributed applications using Kubernetes. The issue allows an attacker to send false member down event messages, which are accepted by the cluster without proper authentication or validation of the member status. This leads to incorrect cluster state management.

Exploitation

An attacker with network access to the Atomix cluster can exploit this vulnerability by crafting and sending malicious member down event messages. No authentication or special privileges are required if the cluster accepts unauthenticated messages. The attacker sends these false messages to the cluster nodes, which then incorrectly mark legitimate members as down.

Impact

Successful exploitation causes a denial of service (DoS) by disrupting the cluster's membership view. Legitimate members are evicted from the cluster, leading to reconfiguration overhead, loss of quorum, and potentially a complete cluster failure, rendering the distributed application unavailable.

Mitigation

As of the published date (2021-12-16), no fix has been released. Users are advised to restrict network access to the Atomix cluster to trusted parties only, and monitor for suspicious member down events. The vendor has not yet disclosed a patch [1][2].