Plattform
java
Komponente
org.apache.cassandra:cassandra-all
Behoben in
3.0.26
3.11.12
4.0.2
3.0.26
CVE-2021-44521 describes a remote code execution (RCE) vulnerability in Apache Cassandra versions 3.0.9 and earlier. An attacker who can create user-defined functions (UDFs) within the Cassandra cluster can exploit this flaw to execute arbitrary code on the host system. The vulnerability arises from the combination of specific, documented-as-unsafe configuration settings: enableuserdefinedfunctions, enablescripteduserdefinedfunctions, and enableuserdefinedfunctions_threads. Affected versions include Cassandra 3.0.0 through 3.0.9.
The impact of CVE-2021-44521 is severe. An attacker who can create UDFs within a Cassandra cluster can leverage this vulnerability to execute arbitrary code with the privileges of the Cassandra process. This could involve gaining persistent access to the system, exfiltrating sensitive data stored within Cassandra, or even using the compromised server as a launchpad for further attacks within the network. The ability to execute arbitrary code effectively grants the attacker complete control over the affected Cassandra node. This vulnerability shares similarities with other UDF-based RCE vulnerabilities, highlighting the importance of carefully reviewing and restricting UDF usage in production environments. The blast radius extends to any data stored within the compromised Cassandra cluster and potentially to other systems accessible from the compromised node.
CVE-2021-44521 was publicly disclosed on February 12, 2022. It is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) exploits are likely to emerge given the vulnerability's severity and the relatively straightforward exploitation path. The vulnerability's reliance on specific configuration settings may limit its immediate exploitability in well-configured environments, but misconfigured clusters remain at significant risk.
Organizations running Apache Cassandra in production environments, particularly those utilizing user-defined functions, are at risk. Environments with less stringent access controls, where users have broad permissions to create objects within the Cassandra cluster, are especially vulnerable. Shared hosting environments where multiple tenants share a Cassandra instance are also at increased risk.
• linux / server:
journalctl -u cassandra | grep -i "user defined function"• java:
Inspect cassandra.yaml for the presence of enableuserdefinedfunctions: true, enablescripteduserdefinedfunctions: true, and enableuserdefinedfunctions_threads: false.
• generic web:
Check Cassandra configuration files for the vulnerable settings. Review access logs for unusual UDF creation requests.
discovery
disclosure
patch
Exploit-Status
EPSS
90.61% (100% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2021-44521 is to upgrade to Apache Cassandra version 3.0.26 or later. This version includes a fix that addresses the vulnerability. If upgrading immediately is not feasible, consider disabling user-defined functions entirely by setting enableuserdefined_functions=false in the cassandra.yaml configuration file. Alternatively, restrict the permissions of users who can create UDFs to minimize the potential attack surface. As a temporary workaround, consider implementing a Web Application Firewall (WAF) or proxy to filter out malicious UDF requests, although this is not a substitute for patching. After upgrading, confirm the fix by attempting to create and execute a UDF with potentially malicious code; it should be rejected.
Aktualisieren Sie Apache Cassandra auf Version 3.0.26, 3.11.12 oder 4.0.2 oder höher, je nach Ihrem Versionszweig. Stellen Sie sicher, dass Sie Skript-basierte benutzerdefinierte Funktionen (UDF) deaktivieren, wenn diese nicht benötigt werden, oder diese in einer sicheren Umgebung ausführen. Wenn Skript-basierte UDFs benötigt werden, vermeiden Sie die dokumentierte unsichere Konfiguration.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2021-44521 is a critical remote code execution vulnerability in Apache Cassandra versions 3.0.0 through 3.0.9. Attackers can execute arbitrary code by exploiting unsafe configurations related to user-defined functions.
You are affected if you are running Apache Cassandra versions 3.0.0 through 3.0.9 and have enabled user-defined functions with the vulnerable configuration settings.
Upgrade to Apache Cassandra version 3.0.26 or later. As a temporary workaround, disable user-defined functions in your cassandra.yaml configuration file.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and available proof-of-concept exploits suggest a high risk of exploitation.
Refer to the Apache Cassandra security advisory: https://cwiki.apache.org/confluence/display/CASSANDRA/Security
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.