Client initialized Session-Renegotiation DoS
Description
CrateDB is a distributed SQL database. A high-risk vulnerability has been identified in versions prior to 5.7.2 where the TLS endpoint (port 4200) permits client-initiated renegotiation. In this scenario, an attacker can exploit this feature to repeatedly request renegotiation of security parameters during an ongoing TLS session. This flaw could lead to excessive consumption of CPU resources, resulting in potential server overload and service disruption. The vulnerability was confirmed using an openssl client where the command R initiates renegotiation, followed by the server confirming with RENEGOTIATING. This vulnerability allows an attacker to perform a denial of service attack by exhausting server CPU resources through repeated TLS renegotiations. This impacts the availability of services running on the affected server, posing a significant risk to operational stability and security. TLS 1.3 explicitly forbids renegotiation, since it closes a window of opportunity for an attack. Version 5.7.2 of CrateDB contains the fix for the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CrateDB versions prior to 5.7.2 allow client-initiated TLS renegotiation on port 4200, enabling a denial-of-service attack via CPU exhaustion.
Vulnerability
Overview
CrateDB versions prior to 5.7.2 contain a high-risk vulnerability in the TLS endpoint on port 4200, which permits client-initiated renegotiation [1][4]. This behavior violates modern TLS best practices, as TLS 1.3 explicitly forbids renegotiation due to the security risks it introduces [1].
Exploitation
An attacker with network access to the affected CrateDB instance can exploit this flaw by repeatedly requesting TLS renegotiation during an established session. Using a standard OpenSSL client, the attacker sends the R command, and the server confirms with RENEGOTIATING [1][4]. Each renegotiation consumes significant CPU resources on the server.
Impact
By sending a high volume of renegotiation requests, an attacker can exhaust the server's CPU, leading to service disruption and denial of service (DoS) [1][4]. This impacts the availability of all services running on the affected server, posing a serious operational risk.
Mitigation
The vulnerability is fixed in CrateDB version 5.7.2, which disables client-initiated renegotiation by default [2]. For earlier versions, administrators can mitigate the issue by setting the JVM flag -Djdk.tls.rejectClientInitiatedRenegotiation=true when starting CrateDB [4]. Restricting network access to the cluster, for example via IP allowlists, also reduces the attack surface [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.crate:crateMaven | < 5.7.2 | 5.7.2 |
Affected products
3- crate/cratev5Range: < 5.7.2
Patches
11dde03bdf031Set JVM variable rejectClientInitiatedRenegotiation to true by default
3 files changed · +8 −2
app/src/main/dist/bin/crate+1 −1 modified@@ -114,7 +114,7 @@ if [ "x$CRATE_USE_IPV4" != "x" ]; then fi ## GC configuration -JAVA_OPTS="$JAVA_OPTS -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30" +JAVA_OPTS="$JAVA_OPTS -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djdk.tls.rejectClientInitiatedRenegotiation=true" # GC logging options # Set CRATE_DISABLE_GC_LOGGING=1 to disable GC logging
app/src/main/dist/bin/crate.bat+1 −1 modified@@ -55,7 +55,7 @@ REM Enable aggressive optimizations in the JVM REM - Disabled by default as it might cause the JVM to crash REM set JAVA_OPTS=%JAVA_OPTS% -XX:+AggressiveOpts -set JAVA_OPTS=%JAVA_OPTS% -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 +set JAVA_OPTS=%JAVA_OPTS% -XX:+UseG1GC -XX:G1ReservePercent=25 -XX:InitiatingHeapOccupancyPercent=30 -Djdk.tls.rejectClientInitiatedRenegotiation=true REM GC logging default values SET GC_LOG_DIR=%CRATE_HOME%\logs
docs/appendices/release-notes/5.7.2.rst+6 −0 modified@@ -43,6 +43,12 @@ Version 5.7.2 - Unreleased See the :ref:`version_5.7.0` release notes for a full list of changes in the 5.7 series. +Security Fixes +============== + +- Fixed a security issue allowing clients using TLS v1.2 to do client-initiated + renegotiation which can lead to DoS. + Fixes =====
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x268-qpg6-w9g2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37309ghsaADVISORY
- cratedb.com/docs/crate/reference/en/latest/appendices/release-notes/5.7.2.htmlghsax_refsource_MISCWEB
- github.com/crate/crate/commit/1dde03bdf031a20886065195527e368e4a3218b3ghsax_refsource_MISCWEB
- github.com/crate/crate/security/advisories/GHSA-x268-qpg6-w9g2ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.