Bug 2053774 (CVE-2021-44521) - CVE-2021-44521 cassandra: RCE for scripted UDFs
Summary: CVE-2021-44521 cassandra: RCE for scripted UDFs
Keywords:
Status: NEW
Alias: CVE-2021-44521
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2059742 2059743 2059744 2059745 2078010 2078011
Blocks: 2053773
TreeView+ depends on / blocked
 
Reported: 2022-02-12 01:38 UTC by Todd Cullum
Modified: 2024-02-01 03:42 UTC (History)
88 users (show)

Fixed In Version: cassandra 3.0.26, cassandra 3.11.12, cassandra 4.0.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Cassandra that allows users with certain permissions to execute user-defined functions to create scripts and run remote code execution. This flaw allows an attacker to gain unwanted access and also execute actions against Cassandra.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Todd Cullum 2022-02-12 01:38:31 UTC 
When running Apache Cassandra with the following configuration in versions < 3.0.26, 3.11.12, and 4.0.2:

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false 

it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough 
permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

References:
http://seclists.org/oss-sec/2022/q1/134
https://issues.apache.org/jira/browse/CASSANDRA-17352
Note You need to log in before you can comment on or make changes to this bug.