Platform
java
Component
org.apache.cassandra:cassandra-all
Fixed in
3.0.26
3.11.12
4.0.2
3.0.26
CVE-2021-44521 describes a remote code execution (RCE) vulnerability in Apache Cassandra versions 3.0.9 and earlier. An attacker who can create user-defined functions (UDFs) within the Cassandra cluster can exploit this flaw to execute arbitrary code on the host system. The vulnerability arises from the combination of specific, documented-as-unsafe configuration settings: enableuserdefinedfunctions, enablescripteduserdefinedfunctions, and enableuserdefinedfunctions_threads. Affected versions include Cassandra 3.0.0 through 3.0.9.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to gain complete control over the Cassandra server, potentially leading to data breaches, system compromise, and denial of service. An attacker could exfiltrate sensitive data stored within the Cassandra database, modify data, or use the compromised server as a launchpad for further attacks within the network. The ability to execute arbitrary code means the attacker is not limited to specific actions; they can perform any operation the Cassandra process has permissions to do. This is particularly concerning in environments where Cassandra is used to store critical business data or manage sensitive user information. The documented unsafe configuration highlights the risk of misconfiguration leading to severe security consequences.
CVE-2021-44521 was publicly disclosed on February 12, 2022. While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity and the potential for remote code execution make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of exploitation. The need to have permissions to create UDFs introduces a slight barrier to entry, but the potential impact justifies proactive mitigation.
Exploit Status
EPSS
90.61% (100% percentile)
CVSS Vector
The primary mitigation for CVE-2021-44521 is to upgrade to Apache Cassandra version 3.0.26 or later, which contains the fix. If an immediate upgrade is not feasible, disabling user-defined functions (UDFs) is a critical temporary workaround. Specifically, set enableuserdefinedfunctions=false in the cassandra.yaml configuration file. Additionally, disable scripted UDFs by setting enablescripteduserdefined_functions=false. Consider implementing a Web Application Firewall (WAF) or proxy to filter requests that attempt to create or execute UDFs. Monitor Cassandra logs for suspicious activity related to UDF creation or execution. After upgrading, verify the fix by attempting to create and execute a UDF with the previously vulnerable configuration; the operation should fail.
Update Apache Cassandra to version 3.0.26, 3.11.12, or 4.0.2, or later, as appropriate for your version branch. Ensure that scripted user-defined functions (UDFs) are disabled if not needed, or run them in a secure environment. If scripted UDFs are necessary, avoid the documented unsafe configuration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-44521 is a critical remote code execution vulnerability in Apache Cassandra versions 3.0.0 through 3.0.9. Attackers can execute arbitrary code by exploiting unsafe configurations related to user-defined functions.
You are affected if you are running Apache Cassandra versions 3.0.0 through 3.0.9 and have enabled user-defined functions with the vulnerable configuration settings.
Upgrade to Apache Cassandra version 3.0.26 or later. As a temporary workaround, disable user-defined functions in your cassandra.yaml configuration file.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and available proof-of-concept exploits suggest a high risk of exploitation.
Refer to the Apache Cassandra security advisory: https://cwiki.apache.org/confluence/display/CASSANDRA/Security
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.