Apache Cassandra is a free and open-source distributed NoSQL database management system that can handle massive volumes of data across many commodity servers while maintaining high availability and avoiding single points of failure.
Researchers have revealed details of a high-severity security flaw in the Apache Cassandra open-source NoSQL distributed database. The vulnerability is easy to exploit and might allow attackers to get remote code execution (RCE) if left unpatched.
The flaw is identified as CVE-2021-44521, and it affects how Cassandra produces user-defined functions (UDFs) to do custom data processing.
“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra,” Omer Kaspi, a security researcher at DevOps firm JFrog, said in a technical write-up published Tuesday.
Cassandra deployments were discovered to be vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:
- enable_user_defined_functions: true
- enable_scripted_user_defined_functions: true
- enable_user_defined_functions_threads: false
Affected versions
- Cassandra 4.0.x prior to 4.0.2
- Cassandra 3.0.x prior to 3.0.26
- Cassandra 3.11.x prior to 3.11.12
Mitigation
- Set `enable_user_defined_functions_threads: true` (this is default)
OR
- 3.0 users should upgrade to 3.0.26
- 3.11 users should upgrade to 3.11.12
- 4.0 users should upgrade to 4.0.2
For more information, please refer to the Apache Security Advisory or search using CASSANDRA-17352.
Qualys Detection
Qualys customers can scan their devices with QID 376427 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.html
https://www.zdnet.com/article/apache-cassandra-users-urged-to-upgrade-after-vulnerability-disclosed/
https://threatpost.com/high-severity-rce-bug-found-in-popular-apache-cassandra-database/178464/