Researchers have exposed the specifics of a now-patched high-severity security vulnerability in Apache Cassandra that, if left ignored, could be exploited to enable remote code execution on vulnerable installations.
Omer Kaspi, a security researcher at DevOps firm JFrog, revealed in a technical write-up released on Tuesday that this Apache security vulnerability is straightforward to attack and has the potential to cause havoc on systems. Although, it only appears in non-default Cassandra settings.
Apache Cassandra is an open-source distributed, NoSQL database management system for handling huge volumes of structured data among commodity servers. The vulnerability, identified as CVE-2021-44521 (CVSS score of 8.4), affects a unique situation in which user-defined functions (UDFs) are allowed, allowing an attacker to exploit the Nashorn JavaScript engine, escape the sandbox, and execute untrusted code.
Cassandra installations were discovered to be vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file includes the following definitions:
- enable_user_defined_functions: true
- enable_scripted_user_defined_functions: true
- enable_user_defined_functions_threads: false
When the [enable_user_defined_functions_threads] option is false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions, according to Kaspi. This allows the adversary to disable the security manager and break out of the sandbox, allowing them to execute arbitrary shell commands on the server.
To avoid possible exploitation, users of Apache Cassandra should update to versions 3.0.26, 3.11.12, and 4.0.2, which solves the problem by introducing a new flag “allow_extra_insecure_udfs” that is set to false by default and precludes turning off the security manager.
