Reported high-severity RCE security bug in Apache Cassandra database software

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to obtain remote code execution on affected installations.

“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but fortunately it only manifests in non-default Cassandra configurations,” Omer Kaspi, Security Researcher at DevOps firm JFrog, noted in a technical article published on Tuesday.

Apache Cassandra is an open source, distributed NoSQL database management system for managing very large amounts of structured data on commodity servers.

Automatic GitHub backups

Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability affects a specific scenario where the configuration of user-defined functions (UDF) are enabled, effectively allowing an attacker to exploit the Nashorn JavaScript engine, escape the sandbox and realize the execution of untrusted code.

Apache Cassandra database software

Specifically, Cassandra deployments have been found to be vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions: true
  • enable_scripted_user_defined_functions: true
  • enable_user_defined_functions_threads: false

“When the [enable_user_defined_functions_threads] is set to false, all invoked UDFs run in the Cassandra daemon thread, which has a security manager with certain permissions,” Kaspi said, allowing the adversary to disable the security manager and break out of the sandbox and execute arbitrary shell commands on the server.

Prevent data breaches

Apache Cassandra users are encouraged to upgrade to releases 3.0.26, 3.11.12and 4.0.2 to prevent possible exploitation, which fixes the flaw by adding a new “allow_extra_insecure_udfs” flag which is set to false by default and prevents disabling the security manager.

Maria H. Underwood