Sunday14 August 2022

Apache Cassandra Database Manager Patches an RCE Vulnerability

Reading time is around minutes.

Apache and their open-source tools have gotten a lot of press lately. After the Lgo4Shell vulnerability in their Log4J tool, and the massive response from vendors and security organizations we are now learning that researchers have discovered a remote code execution flaw in the NoSQL database management tool Cassandra. This time, unlike Log4J flaw the disclosure comes with a patch already available for installation.

The bug is described as easy to exploit remotely although it seems to only be vulnerable in custom, non-default, configurations. In these custom configurations Cassandra is set up to handle user defined functions. If a specific option is not properly configured for these functions it allows an attacker to abuse the internal JavaScript engine and execute unauthorized code on the target system. The configuration item, located in the cassandra.yaml file is the “enable_user_defined_functions_threads” If this is set to False while other options for user defined functions are set to true (including allowing scripted functions) then the configuration is vulnerable to exploit and compromise.

As previously mentioned, Apache already has a patched version available (3.0.26, 3.11.12, and 4.0.2) which remediated the vulnerability even if these other options are enabled. The “fix” is the addition of a new setting in the yaml file, “allow_extra_insecure_udfs” that is disabled (set to false) by default. This should block the execution of unauthorized user defined function but does seem to be more of a bandage than a real fix.

Still, something is better than nothing when it comes to RCE flaws. It you are running a non-patched version of Cassandra and have UDFs enabled then it is highly recommended that you patch as soon as possible to avoid compromise. The CVE this is tracked under is CVE-2021-44521.

Happy patching

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.