• Apache Cassandra
  • News
  • Technical
Security Advisory: CVE-2021-44521

On Friday, February 11, 2022, Instaclustr was advised that a new CVE for Apache Cassandra® had been published. This CVE affects users that have User Defined Functions (UDF) enabled with certain configurations. Instaclustr investigated our configurations and has confirmed that this CVE does not affect our services as we do not have UDF enabled. Self-hosted users are urged to double-check their configuration and modify them accordingly or update as advised below. Please note that upgrading Cassandra mitigates this specific CVE but this configuration is still considered to be unsafe.

If you have any queries regarding this vulnerability and how it relates to Instaclustr services, please contact [email protected]

Advisory for CVE-2021-44521:

When running Apache Cassandra with any of the following configurations

  • enable_user_defined_functions: true
  • enable_scripted_user_defined_functions: true
  • enable_user_defined_functions_threads: false

it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user-defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

This issue is being tracked as CASSANDRA-17352

Mitigation:

Set enable_user_defined_functions_threads: true (this is default)

or

  • 3.0 users should upgrade to 3.0.26
  • 3.11 users should upgrade to 3.11.12
  • 4.0 users should upgrade to 4.0.2

Credit: This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team.

Need help with your Apache Cassandra database? Discover Instaclustr’s managed service.

Learn more
Other articles
Read All