June 26, 2022

TheCyberThrone

Thinking Security ! Always

Apache Cassandra RCE released

Researchers disclosed details of a now-patched high-severity security vulnerability CVE-2021-44521 in Apache Cassandra an open-source NoSQL database software that could be exploited by remote attackers to achieve code execution on affected installations.

Advertisements

Cassandra offers to create user-defined-functions (UDFs) that allow to perform custom processing of data in the database.Java and JavaScript used to write UDFs. Nashorn engine in the Java Runtime Environment (JRE) which is not secure when accepting untrusted code

Researchers discovered that when the configuration for UDFs are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.

Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions:
  • trueenable_scripted_user_defined_functions:
  • trueenable_user_defined_functions_threads: false
Advertisements

If the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions.

Apache released versions 3.0.26, 3.11.12, and 4.0.2 to address the vulnerability, it adds a new flag “allow_extra_insecure_udfs” that’s set to false by default, it prevents turning off the security manager and blocks access to java.lang.System

%d bloggers like this: