CVE-2021-44521: RCE in Apache Cassandra
Platform
java
Component
org.apache.cassandra:cassandra-all
Fixed in
3.0.26
3.11.12
4.0.2
3.0.26
CVE-2021-44521 describes a remote code execution (RCE) vulnerability in Apache Cassandra versions 3.0.9 and earlier. An attacker who can create user-defined functions (UDFs) within the Cassandra cluster can exploit this flaw to execute arbitrary code on the host system. The vulnerability arises from the combination of specific, documented-as-unsafe configuration settings: enableuserdefinedfunctions, enablescripteduserdefinedfunctions, and enableuserdefinedfunctions_threads. Affected versions include Cassandra 3.0.0 through 3.0.9.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The impact of this vulnerability is severe. Successful exploitation allows an attacker to gain complete control over the Cassandra server, potentially leading to data breaches, system compromise, and denial of service. An attacker could exfiltrate sensitive data stored within the Cassandra database, modify data, or use the compromised server as a launchpad for further attacks within the network. The ability to execute arbitrary code means the attacker is not limited to specific actions; they can perform any operation the Cassandra process has permissions to do. This is particularly concerning in environments where Cassandra is used to store critical business data or manage sensitive user information. The documented unsafe configuration highlights the risk of misconfiguration leading to severe security consequences.
Exploitation Context
CVE-2021-44521 was publicly disclosed on February 12, 2022. While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity and the potential for remote code execution make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of exploitation. The need to have permissions to create UDFs introduces a slight barrier to entry, but the potential impact justifies proactive mitigation.
Threat Intelligence
Exploit Status
EPSS
90.61% (100% percentile)
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2021-44521 is to upgrade to Apache Cassandra version 3.0.26 or later, which contains the fix. If an immediate upgrade is not feasible, disabling user-defined functions (UDFs) is a critical temporary workaround. Specifically, set enableuserdefinedfunctions=false in the cassandra.yaml configuration file. Additionally, disable scripted UDFs by setting enablescripteduserdefined_functions=false. Consider implementing a Web Application Firewall (WAF) or proxy to filter requests that attempt to create or execute UDFs. Monitor Cassandra logs for suspicious activity related to UDF creation or execution. After upgrading, verify the fix by attempting to create and execute a UDF with the previously vulnerable configuration; the operation should fail.
How to fix
Update Apache Cassandra to version 3.0.26, 3.11.12, or 4.0.2, or later, as appropriate for your version branch. Ensure that scripted user-defined functions (UDFs) are disabled if not needed, or run them in a secure environment. If scripted UDFs are necessary, avoid the documented unsafe configuration.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2021-44521 — RCE in Apache Cassandra?
CVE-2021-44521 is a critical remote code execution vulnerability in Apache Cassandra versions 3.0.0 through 3.0.9. Attackers can execute arbitrary code by exploiting unsafe configurations related to user-defined functions.
Am I affected by CVE-2021-44521 in Apache Cassandra?
You are affected if you are running Apache Cassandra versions 3.0.0 through 3.0.9 and have enabled user-defined functions with the vulnerable configuration settings.
How do I fix CVE-2021-44521 in Apache Cassandra?
Upgrade to Apache Cassandra version 3.0.26 or later. As a temporary workaround, disable user-defined functions in your cassandra.yaml configuration file.
Is CVE-2021-44521 being actively exploited?
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and available proof-of-concept exploits suggest a high risk of exploitation.
Where can I find the official Apache Cassandra advisory for CVE-2021-44521?
Refer to the Apache Cassandra security advisory: https://cwiki.apache.org/confluence/display/CASSANDRA/Security
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.