[jira] [Commented] (CASSANDRA-17352) CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs

Fri, 11 Feb 2022 02:15:06 -0800 


    [ 
https://issues.apache.org/jira/browse/CASSANDRA-17352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490815#comment-17490815
 ] 

Marcus Eriksson commented on CASSANDRA-17352:
---------------------------------------------

It is possible for an attacker to create a scripted UDF which executes 
arbitrary code on the server.

Attacker needs to have enough permissions to create user defined functions on 
the server, and  {{enable_user_defined_functions_threads}} must have been 
changed from {{false}} to {{true}} by the operator

https://github.com/apache/cassandra/commit/5c9ba06dd31157cd224af2cec75521fefe2c9883

to continue running with {{enable_user_defined_functions_threads: false}} 
setting {{allow_insecure_udfs: true}} is required

to continue accessing {{System.*}} classes, {{allow_extra_insecure_udfs: true}} 
is required

> CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs
> -------------------------------------------------------------------------
>
>                 Key: CASSANDRA-17352
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17352
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/UDF
>            Reporter: Marcus Eriksson
>            Assignee: Marcus Eriksson
>            Priority: Normal
>
> When running Apache Cassandra with the following configuration:
> enable_user_defined_functions: true
> enable_scripted_user_defined_functions: true
> enable_user_defined_functions_threads: false 
> it is possible for an attacker to execute arbitrary code on the host. The 
> attacker would need to have enough permissions to create user defined 
> functions in the cluster to be able to exploit this. Note that this 
> configuration is documented as unsafe, and will continue to be considered 
> unsafe after this CVE.
> This issue is being tracked as CASSANDRA-17352
> Mitigation:
> Set `enable_user_defined_functions_threads: true` (this is default)
> or
> 3.0 users should upgrade to 3.0.26
> 3.11 users should upgrade to 3.11.12
> 4.0 users should upgrade to 4.0.2
> Credit:
> This issue was discovered by Omer Kaspi of the JFrog Security vulnerability 
> research team.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org

Reply via email to