CVE-2021-44521 Explained : Impact and Mitigation

Apache Cassandra before versions 3.0.26, 3.11.12, and 4.0.2 allows remote code execution for scripted user-defined functions (UDFs).

Understanding CVE-2021-44521

This CVE involves a security issue in Apache Cassandra that enables attackers to execute arbitrary code on a host by exploiting the user-defined functions (UDFs) configuration.

What is CVE-2021-44521?

When Apache Cassandra is configured with specific settings, an attacker can utilize UDFs to execute unauthorized code on the host.

The Impact of CVE-2021-44521

The vulnerability allows malicious parties to run arbitrary code on the system if they have sufficient permissions to create UDFs within the cluster.

Technical Details of CVE-2021-44521

Apache Cassandra's vulnerability in the handling of scripted UDFs and specific configurations.

Vulnerability Description

The issue arises from the improper control of code generation, leading to code injection and potential exploitation.

Affected Systems and Versions

Apache Cassandra 3.0.0
Apache Cassandra before 3.0.26
Apache Cassandra 3.1
Apache Cassandra before 3.11.12
Apache Cassandra 4.0.0
Apache Cassandra before 4.0.2

Exploitation Mechanism

Attackers can execute code by leveraging the user-defined functions functionality in the inherently insecure configurations.

Mitigation and Prevention

Steps to address and prevent the CVE issue in Apache Cassandra.

Immediate Steps to Take

Set

enable_user_defined_functions_threads: true

(default setting)
Upgrade to Apache Cassandra 3.0.26, 3.11.12, or 4.0.2 based on the current version.

Long-Term Security Practices

Regularly review and adjust Apache Cassandra configurations for security best practices.
Implement role-based access controls to limit permissions on UDF creation.

Patching and Updates

Apply the necessary patches provided by Apache to address the vulnerability and ensure system security.