Researchers disclosed details of a now-patched high-severity security vulnerability CVE-2021-44521 in Apache Cassandra an open-source NoSQL database software that could be exploited by remote attackers to achieve code execution on affected installations.
Researchers discovered that when the configuration for UDFs are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.
Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:
- trueenable_user_defined_functions_threads: false
If the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions.
Apache released versions 3.0.26, 3.11.12, and 4.0.2 to address the vulnerability, it adds a new flag “allow_extra_insecure_udfs” that’s set to false by default, it prevents turning off the security manager and blocks access to java.lang.System