Threat Alert

by IthacaLabs™

THREAT LEVEL/High 16/02/2022

New High-Severity RCE Security Bug in Apache Cassandra Database Software

Threat Level Description

Threat Level: High - An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new remote code execution vulnerability in Apache Cassandra database management software, has been identified.

An attacker, by exploiting this vulnerability, could cause remote code execution, escalate his/her access privileges and finally compromise the affected system.

Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.

This vulnerability, tracked as CVE-2021-44521, can be manifested and exploited under a specific scenario, where the configuration for user-defined functions (UDFs) is enabled, and the “cassandra.yaml” configuration file contains the following definitions:

• enable_user_defined_functions: true
• enable_scripted_user_defined_functions: true
• enable_user_defined_functions_threads: false

By leveraging the “Nashom” JavaScript engine, an attacker can disable the security manager and effectively break out of the sandbox, resulting in executing arbitrary shell commands on the server.

Note that the configuration of the Apache Cassandra database management software that is vulnerable to the “CVE-2021-44521” is not the default configuration of the Apache Cassandra.

CVE(s)

CVE-2021-44521

BASE SCORE: 8.5 High
VECTOR: (AV:N/AC:M/Au:S/C:C/I:C/A:C)

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Affected Systems

  • N/A
  • Recommendation(s)

    You should immediately proceed and upgrade to the latest version of Apache Cassandra database management software that addresses this flaw.

    You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

    References

    Get the latest Threat Alerts in your inbox.