Apache Cassandra vulnerability puts servers at risk

A potential remote code execution vulnerability has been disclosed and patched for the Apache Cassandra database platform.

Researchers with DevOps vendor JFrog say that the flaw, designated CVE-2021-44521, could allow an attacker to perform a denial-of-service attack and gain remote code execution over the NoSQL database in some cases.

Rated an 8.4 on the CVSS scale, the vulnerability is due to a failure to properly sanitize user-defined function (UDF) inputs. These means that when a user is able to input UDF commands, they can knock it offline and potentially take control of the server in worst-case scenarios.

The bug, which has been patched, comes with some major caveats. Most notably, the ability to exploit the flaw is disabled by default. Rather, the Cassandra database must be specifically configured to allow UDFs.

"This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra," JFrog research Omer Kaspi wrote in a blog post Tuesday.

Specifically, the cassandra.yaml file must be configured with the below three lines of code in order for the flaw to be exploited as RCE (the first two allow denial of service):

enable_user_defined_functions: true

enable_scripted_user_defined_functions: true

enable_user_defined_functions_threads: false

This means that out-of-the-box Cassandra installations are not going to be vulnerable. According to JFrog senior director of security research Shachar Menashe, however, the function is useful enough that there is no shortage of systems that have been made vulnerable.

"The vulnerability will present itself when user defined functions are enabled (without touching the  [enable_user_defined_functions_threads] configuration), which is fairly common since user defined functions are very helpful for a multitude of reasons," Menashe said in an email to SearchSecurity.

"This feature is highly documented, and many tutorials exist on how to use the user-defined functions in Cassandra."

Kaspi noted in the blog post that Cassandra is used by many large enterprises such as Cisco, Netflix, Twitter and Reddit, and is "extremely popular extremely popular in DevOps and cloud-native development circles."

Menashe said that while the exact number of vulnerable machines is unknown, scanning and finding possible targets could be trivial for attackers, as many of the vulnerable databases are public-facing and could be found via scanning services such as Shodan.

"When you couple the enablement of the user defined functions with the default anonymous login for Cassandra, you're looking at a very high likelihood that your Cassandra instance is susceptible to this DoS attack," Menashe explained.

"The 3rd configuration that enables remote code execution (RCE) is  [enable_user_defined_functions_threads = false], which is something more exotic or rare in its usage, but is still a well-documented configuration."

Fortunately, there is a fix available for systems that might be prone to CVE-2021-44521. Updating Apache Cassandra to version 3.0.26, 3.11.12 or 4.0.2 will close off the vulnerability, regardless of configuration settings.