Researchers have found a high-severity bug in Apache Cassandra allowing code execution attacks. Since the vendors have patched the flaw, Cassandra users should rush to update their servers and avoid exploit.
Apache Cassandra RCE Bug
As elaborated in a detailed post, the JFrog’s Security Research team discovered a serious code execution bug in Apache Cassandra.
Apache Cassandra is an open-source database management system from the Apache Software Foundation. This distributed NoSQL database can manage large files across multiple commodity servers, with no single point of failure. Hence, they are widely used in businesses, including the giants like Twitter, Reddit, Netflix, Cisco, and more.
Nonetheless, this popularity also means that any security glitch here can directly affect numerous businesses with devastating results.
One such vulnerability caught JFrog’s attention. Briefly, they found a remote code execution vulnerability that won’t come into action with default configurations. While that sounds relaxing, the trouble happens for custom installations.
It’s because the vulnerability affects creating user-defined-functions (UDFs), which is disabled by default, but enabled on systems with custom configurations.
Regarding the vulnerability CVE-2021-44521, its description reads,
When running Apache Cassandra with the following configuration:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this.
The vulnerability description also calls the vulnerable configuration “unsafe” even after the CVE.
While this bug might not be as disruptive as Log4j vulnerabilities, still, it’s likely for many systems to have custom configurations. Therefore, all Cassandra users should ensure configuring their systems securely by setting up enable_user_defined_functions_threads: true
and enable_user_defined_functions: false
Whereas, ideally, users should rush to update their systems running on versions 3.0.x, 3.11.x, and 4.0.x to 3.0.26, 3.11.12, and 4.0.2, respectively.
Let us know your thoughts in the comments.