Home Latest Cyber Security News | Network Security Hacking Remote Code Execution Bug Found In Apache Cassandra – Patch Now!
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Remote Code Execution Bug Found In Apache Cassandra – Patch Now!

by Abeerah Hashim
written by Abeerah Hashim
Palo Alto Networks Pan-OS zero-day vulnerability under active attack

Researchers have found a high-severity bug in Apache Cassandra allowing code execution attacks. Since the vendors have patched the flaw, Cassandra users should rush to update their servers and avoid exploit.

Apache Cassandra RCE Bug

As elaborated in a detailed post, the JFrog’s Security Research team discovered a serious code execution bug in Apache Cassandra.

Apache Cassandra is an open-source database management system from the Apache Software Foundation. This distributed NoSQL database can manage large files across multiple commodity servers, with no single point of failure. Hence, they are widely used in businesses, including the giants like Twitter, Reddit, Netflix, Cisco, and more.

Nonetheless, this popularity also means that any security glitch here can directly affect numerous businesses with devastating results.

One such vulnerability caught JFrog’s attention. Briefly, they found a remote code execution vulnerability that won’t come into action with default configurations. While that sounds relaxing, the trouble happens for custom installations.

It’s because the vulnerability affects creating user-defined-functions (UDFs), which is disabled by default, but enabled on systems with custom configurations.

Regarding the vulnerability CVE-2021-44521, its description reads,

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.

The vulnerability description also calls the vulnerable configuration “unsafe” even after the CVE.

While this bug might not be as disruptive as Log4j vulnerabilities, still, it’s likely for many systems to have custom configurations. Therefore, all Cassandra users should ensure configuring their systems securely by setting up enable_user_defined_functions_threads: true and enable_user_defined_functions: false

Whereas, ideally, users should rush to update their systems running on versions 3.0.x, 3.11.x, and 4.0.x to 3.0.26, 3.11.12, and 4.0.2, respectively.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...

LayerSlider WordPress Plugin Vulnerability Affected Thousands Of Websites

OWASP Disclosed Data Breach Affecting Old Members

Center Identity Launches Patented Passwordless Authentication for Businesses