Technical data

Reported high-severity RCE security bug in Apache Cassandra database software

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to obtain remote code execution on affected installations.

“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but fortunately only manifests in non-default Cassandra configurations,” said security researcher Omer Kaspi. at DevOps JFrog, in a published technical article. Tuesday.

Apache Cassandra is an open source, distributed NoSQL database management system for managing very large amounts of structured data on commodity servers.

Automatic GitHub backups

Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability addresses a specific scenario where User Defined Functions (UDF) configuration is enabled, allowing an attacker to exploit the Nashorn JavaScript engine, to escape the sandbox and get untrusted code execution.

Apache Cassandra database software

Specifically, Cassandra deployments have been found to be vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions: true
  • enable_scripted_user_defined_functions: true
  • enable_user_defined_functions_threads: false

“When the [enable_user_defined_functions_threads] is set to false, all invoked UDFs run in the Cassandra daemon thread, which has a security manager with certain permissions,” Kaspi said, allowing the adversary to disable the security manager and break out of the sandbox and execute arbitrary shell commands on the server.

Prevent data breaches

Apache Cassandra users are encouraged to upgrade to 3.0.26, 3.11.12, and 4.0.2 to avoid possible exploitation, which fixes the flaw by adding a new “allow_extra_insecure_udfs” flag which is set to false by default and prevents disabling director security.