Bug 2053774 (CVE-2021-44521)

Summary: CVE-2021-44521 cassandra: RCE for scripted UDFs
Product: [Other] Security Response Reporter: Todd Cullum <tcullum>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, asoldano, avibelli, bbaranow, bgeorges, bmaxwell, bmontgom, bperkins, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dbecker, dkreling, dosoudil, eclipseo, eleandro, eparis, extras-orphan, filip, fjuma, gmalinko, go-sig, gsmet, hvyas, iweiss, janstey, jburrell, jjoyce, jnethert, jochrist, jokerman, jolee, jpallich, jperkins, jschatte, jschluet, jwon, kwills, lbalhar, lgao, lhh, lkundrak, loleary, lpeer, lthon, mburns, mkolesni, msochure, msvehla, mwringe, nstielau, nwallace, pantinor, pdelbell, peholase, pgallagh, pjindal, ploffay, pmackay, praiskup, probinso, rareddy, rguimara, rhos-maint, rruss, rstancel, rsvoboda, sbiarozk, sclewis, scohen, slinaber, smaestri, sostapov, spinder, sponnaga, swoodman, theute, tnielsen, tom.jenkinson, tvignaud, yborgess, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: cassandra 3.0.26, cassandra 3.11.12, cassandra 4.0.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Cassandra that allows users with certain permissions to execute user-defined functions to create scripts and run remote code execution. This flaw allows an attacker to gain unwanted access and also execute actions against Cassandra.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2059742, 2059743, 2059744, 2059745, 2078010, 2078011    
Bug Blocks: 2053773    

Description Todd Cullum 2022-02-12 01:38:31 UTC 
When running Apache Cassandra with the following configuration in versions < 3.0.26, 3.11.12, and 4.0.2:

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false 

it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough 
permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

References:
http://seclists.org/oss-sec/2022/q1/134
https://issues.apache.org/jira/browse/CASSANDRA-17352