Plataforma
java
Componente
org.apache.cassandra:cassandra-all
Corregido en
3.0.26
3.11.12
4.0.2
3.0.26
CVE-2021-44521 describes a remote code execution (RCE) vulnerability in Apache Cassandra versions 3.0.9 and earlier. An attacker who can create user-defined functions (UDFs) within the Cassandra cluster can exploit this flaw to execute arbitrary code on the host system. The vulnerability arises from the combination of specific, documented-as-unsafe configuration settings: enableuserdefinedfunctions, enablescripteduserdefinedfunctions, and enableuserdefinedfunctions_threads. Affected versions include Cassandra 3.0.0 through 3.0.9.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to gain complete control over the Cassandra server, potentially leading to data breaches, system compromise, and denial of service. An attacker could exfiltrate sensitive data stored within the Cassandra database, modify data, or use the compromised server as a launchpad for further attacks within the network. The ability to execute arbitrary code means the attacker is not limited to specific actions; they can perform any operation the Cassandra process has permissions to do. This is particularly concerning in environments where Cassandra is used to store critical business data or manage sensitive user information. The documented unsafe configuration highlights the risk of misconfiguration leading to severe security consequences.
CVE-2021-44521 was publicly disclosed on February 12, 2022. While no active exploitation campaigns have been publicly confirmed, the vulnerability's CRITICAL severity and the potential for remote code execution make it a high-priority target. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are available, increasing the risk of exploitation. The need to have permissions to create UDFs introduces a slight barrier to entry, but the potential impact justifies proactive mitigation.
Organizations running Apache Cassandra in production environments, particularly those utilizing user-defined functions, are at risk. Environments with less stringent access controls, where users have broad permissions to create objects within the Cassandra cluster, are especially vulnerable. Shared hosting environments where multiple tenants share a Cassandra instance are also at increased risk.
• linux / server:
journalctl -u cassandra | grep -i "user defined function"• java:
Inspect cassandra.yaml for the presence of enableuserdefinedfunctions: true, enablescripteduserdefinedfunctions: true, and enableuserdefinedfunctions_threads: false.
• generic web:
Check Cassandra configuration files for the vulnerable settings. Review access logs for unusual UDF creation requests.
discovery
disclosure
patch
Estado del Exploit
EPSS
90.61% (100% percentil)
Vector CVSS
The primary mitigation for CVE-2021-44521 is to upgrade to Apache Cassandra version 3.0.26 or later, which contains the fix. If an immediate upgrade is not feasible, disabling user-defined functions (UDFs) is a critical temporary workaround. Specifically, set enableuserdefinedfunctions=false in the cassandra.yaml configuration file. Additionally, disable scripted UDFs by setting enablescripteduserdefined_functions=false. Consider implementing a Web Application Firewall (WAF) or proxy to filter requests that attempt to create or execute UDFs. Monitor Cassandra logs for suspicious activity related to UDF creation or execution. After upgrading, verify the fix by attempting to create and execute a UDF with the previously vulnerable configuration; the operation should fail.
Actualice Apache Cassandra a la versión 3.0.26, 3.11.12 o 4.0.2, o superior, según corresponda a su rama de versión. Asegúrese de deshabilitar las funciones definidas por el usuario (UDF) con scripts si no son necesarias, o ejecútelas en un entorno seguro. Si las UDF con scripts son necesarias, evite la configuración insegura documentada.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2021-44521 is a critical remote code execution vulnerability in Apache Cassandra versions 3.0.0 through 3.0.9. Attackers can execute arbitrary code by exploiting unsafe configurations related to user-defined functions.
You are affected if you are running Apache Cassandra versions 3.0.0 through 3.0.9 and have enabled user-defined functions with the vulnerable configuration settings.
Upgrade to Apache Cassandra version 3.0.26 or later. As a temporary workaround, disable user-defined functions in your cassandra.yaml configuration file.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity and available proof-of-concept exploits suggest a high risk of exploitation.
Refer to the Apache Cassandra security advisory: https://cwiki.apache.org/confluence/display/CASSANDRA/Security
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo pom.xml y te decimos al instante si estás afectado.