December 3, 2023

Researchers disclosed details of a now-patched high-severity security vulnerability CVE-2021-44521 in Apache Cassandra an open-source NoSQL database software that could be exploited by remote attackers to achieve code execution on affected installations.


Cassandra offers to create user-defined-functions (UDFs) that allow to perform custom processing of data in the database.Java and JavaScript used to write UDFs. Nashorn engine in the Java Runtime Environment (JRE) which is not secure when accepting untrusted code

Researchers discovered that when the configuration for UDFs are enabled, threat actors could leverage the Nashorn engine to escape the sandbox and achieve remote code execution.

Experts noticed that the exploitation is possible when the cassandra.yaml configuration file contains the following definitions:

  • enable_user_defined_functions:
  • trueenable_scripted_user_defined_functions:
  • trueenable_user_defined_functions_threads: false

If the option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions.

Apache released versions 3.0.26, 3.11.12, and 4.0.2 to address the vulnerability, it adds a new flag “allow_extra_insecure_udfs” that’s set to false by default, it prevents turning off the security manager and blocks access to java.lang.System

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: