High Severity Vulnerability Detected in Apache Database System Used by Large Enterprises

Researchers detail code execution vulnerability in Apache Cassandra

JFrog security researchers on Tuesday released full technical details of a high-severity remote code execution vulnerability addressed in the latest version of Apache Cassandra.

A distributed NoSQL database with great scalability, Cassandra is popular among organizations such as Netflix, Reddit, Twitter, Cisco, Constant Contact, Digg, Urban Airship, OpenX, etc., as well as among cloud-native development circles and DevOps.

Tracked as CVE-2021-44521 (CVSS score of 8.4), the newly patched vulnerability only affects non-default database configurations – mitigating the fact that it’s easy to exploit – resulting in a complete system compromise.

The security error only exists if the feature to create user-defined functions (UDFs) for custom data processing is enabled in Cassandra and can only be exploited if the attacker has sufficient permissions to create UDFs. The configuration is not the default and has been documented as insecure.

[READ: Log4Shell-Like Vulnerability Found in Popular H2 Database]

Cassandra’s UDFs can be written in both Java and JavaScript, the latter using the Nashorn engine, which “is not guaranteed to be secure when accepting untrusted code”, meaning it must run in a sandbox, explains JFrog.

In fact, Cassandra implements a custom sandbox to restrict UDF code, but JFrog discovered that when a series of non-default configuration options are enabled, an attacker could “abuse the Nashorn engine, escape the sandbox sand and achieve remote code execution”. ”

Specifically, Cassandra deployments are vulnerable when configured to allow UDFs and scripted UDFs, but not UDF threads. By default, UDF threads are enabled, which means that each UDF function called runs in a separate thread.

When UDFs are enabled, all users can create and run arbitrary UDFs, including those logged in anonymously, explains JFrog.

In its technical write-up on CVE-2021-44521, the security firm also explained how it was able to escape Cassandra’s sandbox and provided a demonstration of its proof-of-concept (PoC) code in action.

The security firm also notes that during its research several other issues were identified, including a denial of service attack and a remote code execution exploit via deserialization of insecure objects.

CVE-2021-44521 has been resolved with the release of Apache Cassandra versions 3.0.26, 3.11.12, and 4.0.2, and users are advised to upgrade to the fixed iterations as soon as possible.

“Apache’s patch adds a new flag – allow_extra_insecure_udfs (false by default) which disallows disabling the security manager and blocks access to java.lang.System,” says JFrog.

Users can also mitigate the impact of this vulnerability by disabling UDFs, allowing UDF threads (the default configuration), and denying permissions to untrusted users.

Related: Many Prometheus endpoints expose sensitive data

Related: HAProxy Vulnerability Leads to Smuggling of HTTP Requests

Related: NicheStack’s TCP/IP Stack Vulnerabilities Affect Many OT Device Vendors

Ionut Argire is an international correspondent for SecurityWeek.

Previous columns by Ionut Arghire:
Key words:

Comments are closed.