Users of the popular Apache Cassandra DBMS would do well to beware. A vulnerability discovered by JFrog security researchers may lead to remote malicious code execution. Referenced as CVE-2021-44521, this flaw with a CVSS 8.4 score must therefore be closed as soon as possible to avoid an exploit. Available in open source, Cassandra is widely used in the world of NoSQL distributed databases, being used in particular at Netflix, Reddit and Twitter. “This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but fortunately it only manifests in non-default Cassandra configurations,” explained security researcher Omer Kaspi. at JFrog.
A particular exploit configuration
Deployments vulnerable to CVE-2021-44521 must contain the following parameters in the cassandra.yaml configuration file:
In order to remedy this exploit risk, Apache Cassandra users should migrate to the following versions as soon as possible: for those who have 3.0.x, you must install 3.0.26, for those who have 3.11.x update to 3.11.12 and finally concerning 4.0.x implementations it will be necessary to go to 4.0.2.
A possible workaround without an update
For users who could not apply the latest security update, JFrog pushed the following recommendations. First, if UDFs are not actively used, they can be disabled completely by setting enable_user_defined_functions to false (which is the default). If UDFs are needed, set enable_user_defined_functions_threads to true (which is the default). Finally, JFrog researchers recommend removing permissions to create, modify, and execute functions for untrusted users by removing the following permissions: ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE, and FUNCTION for CREATE, ALTER, and EXECUTE requests . This can be done using the following queries replacing the role_name with the desired role.