Users of the popular Apache Cassandra DBMS would do well to beware. A vulnerability discovered by JFrog security researchers may lead to remote malicious code execution. Referenced as CVE-2021-44521, this flaw with a CVSS 8.4 score must therefore be closed as soon as possible to avoid an exploit. Available in open source, Cassandra is widely used in the world of NoSQL distributed databases, being used in particular at Netflix, Reddit and Twitter. “This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but fortunately it only manifests in non-default Cassandra configurations,” explained security researcher Omer Kaspi. at JFrog.

This flaw was discovered by JFrog as part of its work implementing the user-defined function (UDF) in a Cassandra sandbox. “Cassandra’s UDFs can be written in Java and JavaScript by default. In JavaScript, they use the Nashorn engine in the Java Runtime Environment (JRE), which is a JavaScript engine that runs on top of the Java Virtual Machine (JVM) […] We realized that a mix of specific (non-default) configuration options could allow us to abuse the Nashorn engine, escape the sandbox, and execute code remotely,” says JFrog who realized also an exploit PoC.

A particular exploit configuration

Deployments vulnerable to CVE-2021-44521 must contain the following parameters in the cassandra.yaml configuration file:

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false

In order to remedy this exploit risk, Apache Cassandra users should migrate to the following versions as soon as possible: for those who have 3.0.x, you must install 3.0.26, for those who have 3.11.x update to 3.11.12 and finally concerning 4.0.x implementations it will be necessary to go to 4.0.2.

A possible workaround without an update

For users who could not apply the latest security update, JFrog pushed the following recommendations. First, if UDFs are not actively used, they can be disabled completely by setting enable_user_defined_functions to false (which is the default). If UDFs are needed, set enable_user_defined_functions_threads to true (which is the default). Finally, JFrog researchers recommend removing permissions to create, modify, and execute functions for untrusted users by removing the following permissions: ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE, and FUNCTION for CREATE, ALTER, and EXECUTE requests . This can be done using the following queries replacing the role_name with the desired role.