Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to obtain remote code execution on affected installations.
“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but fortunately it only manifests in non-default Cassandra configurations,” Omer Kaspi, Security Researcher at DevOps firm JFrog, noted in a technical article published on Tuesday.
Apache Cassandra is an open source, distributed NoSQL database management system for managing very large amounts of structured data on commodity servers.
Specifically, Cassandra deployments have been found to be vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:
- enable_user_defined_functions: true
- enable_scripted_user_defined_functions: true
- enable_user_defined_functions_threads: false
“When the [enable_user_defined_functions_threads] is set to false, all invoked UDFs run in the Cassandra daemon thread, which has a security manager with certain permissions,” Kaspi said, allowing the adversary to disable the security manager and break out of the sandbox and execute arbitrary shell commands on the server.
Apache Cassandra users are encouraged to upgrade to releases 3.0.26, 3.11.12and 4.0.2 to prevent possible exploitation, which fixes the flaw by adding a new “allow_extra_insecure_udfs” flag which is set to false by default and prevents disabling the security manager.