Researchers have revealed details of a now-patched high-severity
security vulnerability in Apache Cassandra that, if left
unaddressed, could be abused to gain remote code execution on
affected installations.
“This Apache security vulnerability is easy to exploit and has
the potential to wreak havoc on systems, but luckily only manifests
in non-default configurations of Cassandra,” Omer Kaspi, security
researcher at DevOps firm JFrog, said[1]
in a technical write-up published Tuesday.
Apache Cassandra is an open-source, distributed, NoSQL database
management system for managing very large amounts of structured
data across commodity servers.
Tracked as CVE-2021-44521[2]
(CVSS score: 8.4), the vulnerability concerns a specific scenario
where the configuration for user-defined functions (UDFs[3]) are enabled,
effectively allowing an attacker to leverage the Nashorn[4]
JavaScript engine, escape the sandbox, and achieve execution of
untrusted code.
Specifically, it was found that Cassandra deployments are
vulnerable to CVE-2021-44521 when the cassandra.yaml configuration
file contains the following definitions:
- enable_user_defined_functions: true
- enable_scripted_user_defined_functions: true
- enable_user_defined_functions_threads: false
“When the [enable_user_defined_functions_threads] option is set
to false, all invoked UDF functions run in the Cassandra daemon
thread, which has a security manager with some permissions,” Kaspi
said, thereby allowing the adversary to disable the security
manager and break out of the sandbox and run arbitrary shell
commands on the server.
Apache Cassandra users are encouraged to upgrade to versions
3.0.26[5], 3.11.12[6], and 4.0.2[7]
to avoid possible exploitation, which addresses the flaw by adding
a new flag “allow_extra_insecure_udfs” that’s set to false by
default and prevents turning off the security manager.
References
Read more https://thehackernews.com/2022/02/high-severity-rce-security-bug-reported.html