Apache Cassandra Database Software High-Severity Remote Code Execution Vulnerability (CVE-2021-44521)

Posted by Author Diksha Ojha on Posted on

Apache Cassandra is a free and open-source distributed NoSQL database management system that can handle massive volumes of data across many commodity servers while maintaining high availability and avoiding single points of failure. 
 
Researchers have revealed details of a high-severity security flaw in the Apache Cassandra open-source NoSQL distributed database. The vulnerability is easy to exploit and might allow attackers to get remote code execution (RCE) if left unpatched. 
  
The flaw is identified as CVE-2021-44521, and it affects how Cassandra produces user-defined functions (UDFs) to do custom data processing.  
 
“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra,” Omer Kaspi, a security researcher at DevOps firm JFrog, said in a technical write-up published Tuesday. 
 
Cassandra deployments were discovered to be vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions: 

  • enable_user_defined_functions: true 
  • enable_scripted_user_defined_functions: true 
  • enable_user_defined_functions_threads: false 

Affected versions  

  • Cassandra 4.0.x prior to 4.0.2 
  • Cassandra 3.0.x prior to 3.0.26 
  • Cassandra 3.11.x prior to 3.11.12 

Mitigation  

  • Set `enable_user_defined_functions_threads: true` (this is default) 

OR 

  • 3.0 users should upgrade to 3.0.26 
  • 3.11 users should upgrade to 3.11.12 
  • 4.0 users should upgrade to 4.0.2

For more information, please refer to the Apache Security Advisory or search using CASSANDRA-17352. 
 
Qualys Detection  
Qualys customers can scan their devices with QID 376427 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356  
https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.html 
https://www.zdnet.com/article/apache-cassandra-users-urged-to-upgrade-after-vulnerability-disclosed/ 
https://threatpost.com/high-severity-rce-bug-found-in-popular-apache-cassandra-database/178464/ 

Leave a Reply

Your email address will not be published. Required fields are marked *