[ https://issues.apache.org/jira/browse/CASSANDRA-17352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490815#comment-17490815 ]
Marcus Eriksson commented on CASSANDRA-17352: --------------------------------------------- It is possible for an attacker to create a scripted UDF which executes arbitrary code on the server. Attacker needs to have enough permissions to create user defined functions on the server, and {{enable_user_defined_functions_threads}} must have been changed from {{false}} to {{true}} by the operator https://github.com/apache/cassandra/commit/5c9ba06dd31157cd224af2cec75521fefe2c9883 to continue running with {{enable_user_defined_functions_threads: false}} setting {{allow_insecure_udfs: true}} is required to continue accessing {{System.*}} classes, {{allow_extra_insecure_udfs: true}} is required > CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs > ------------------------------------------------------------------------- > > Key: CASSANDRA-17352 > URL: https://issues.apache.org/jira/browse/CASSANDRA-17352 > Project: Cassandra > Issue Type: Bug > Components: Feature/UDF > Reporter: Marcus Eriksson > Assignee: Marcus Eriksson > Priority: Normal > > When running Apache Cassandra with the following configuration: > enable_user_defined_functions: true > enable_scripted_user_defined_functions: true > enable_user_defined_functions_threads: false > it is possible for an attacker to execute arbitrary code on the host. The > attacker would need to have enough permissions to create user defined > functions in the cluster to be able to exploit this. Note that this > configuration is documented as unsafe, and will continue to be considered > unsafe after this CVE. > This issue is being tracked as CASSANDRA-17352 > Mitigation: > Set `enable_user_defined_functions_threads: true` (this is default) > or > 3.0 users should upgrade to 3.0.26 > 3.11 users should upgrade to 3.11.12 > 4.0 users should upgrade to 4.0.2 > Credit: > This issue was discovered by Omer Kaspi of the JFrog Security vulnerability > research team. -- This message was sent by Atlassian Jira (v8.20.1#820001) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org