CVE-2021-44521: Critical code execution vulnerability in Apache Cassandra (CVSS score of 8.4)

A full white paper was released this week on a recently fixed a critical remote code execution (RCE) vulnerability in Apache Cassandra, a distributed NoSQL database that offers high scalability very popular with companies like Cisco, Netflix, Reddit, Twitter, Urban Airship, OpenX, and more.

Tracked as CVE-2021-44521, the vulnerability only affects non-default database configurations, which could lead to complete compromise of the affected system. This vulnerability received a score of 8.4/10 according to the Common Vulnerability Scoring System (CVSS), according to Jfrog specialists.

The flaw only occurs if the functionality to create user-defined functions (UDFs) for custom data processing is enabled in Cassandra, and can only be abused if the attacker has sufficient permissions to create these UDFs. This is not a default setting and has been documented as insecure before.

The UDF function in Cassandra can be written in Java and JavaScript, and the latter uses the Nashorn engine, so it is not guaranteed to be secure when accepting code that is not trusted and it would be best to run it in a secure environment.

While Caszandra implements a sandbox to restrict UDF code, by enabling some optional settings threat actors could abuse the Nashorn engine to escape the secure environment and execute remote code on the affected system.

Cassandra deployments are vulnerable when configured to allow UDF scripts, but not UDF threads. By default, UDF threads are enabled, which means that each invoked UDF function runs on a separate thread. When UDFs are enabled, all users can create and run arbitrary UDFs, including those who logged on anonymously.

In its white paper on CVE-2021-44521, Jfrog detailed a process that allowed evading Cassandra’s sandbox environment, demonstrated in its proof of concept (PoC). The security firm also noted the identification of some other flaws, including denial-of-service (DoS) attacks and other RCE vulnerabilities.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.