This is an automated email from the ASF dual-hosted git repository.
edimitrova pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-website.git
The following commit(s) were added to refs/heads/trunk by this push:
new c813553 CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for
Remote Code Execution for Scripted UDFs patch by Diogenese Topper; reviewed by
PMC for CASSANDRA-17394
c813553 is described below
commit c8135531e97d9f0de4fc39437c6c18e18e6e4f79
Author: Diogenese Topper <diotop...@gmail.com>
AuthorDate: Fri Feb 18 11:30:00 2022 -0800
CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code
Execution for Scripted UDFs
patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394
---
site-content/source/modules/ROOT/pages/blog.adoc | 25 ++++++++++++++++++++++
.../modules/ROOT/pages/blog/Upgrade-Advisory2.adoc | 25 ++++++++++++++++++++++
2 files changed, 50 insertions(+)
diff --git a/site-content/source/modules/ROOT/pages/blog.adoc
b/site-content/source/modules/ROOT/pages/blog.adoc
index 946af0f..14e51cd 100644
--- a/site-content/source/modules/ROOT/pages/blog.adoc
+++ b/site-content/source/modules/ROOT/pages/blog.adoc
@@ -14,6 +14,31 @@ NOTES FOR CONTENT CREATORS
[openblock,card-header]
------
[discrete]
+=== Apache Cassandra Upgrade Advisory
+[discrete]
+==== February 18, 2022
+------
+[openblock,card-content]
+------
+If the operator has configured the cluster in a documented insecure way, it is
possible for malicious users to execute remote code using scripted UDFs. Users
of Apache Cassandra 3.0, 3.11, and 4.0 to upgrade or to reset
enable_user_defined_functions_threads back to true.
+
+[openblock,card-btn card-btn--blog]
+--------
+
+[.btn.btn--alt]
+xref:blog/Upgrade-Advisory2.adoc[Read More]
+--------
+
+------
+----
+//end card
+
+//start card
+[openblock,card shadow relative test]
+----
+[openblock,card-header]
+------
+[discrete]
=== Behind the scenes of an Apache Cassandra Release
[discrete]
==== February 18, 2022
diff --git a/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc
b/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc
new file mode 100644
index 0000000..c4353be
--- /dev/null
+++ b/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc
@@ -0,0 +1,25 @@
+= Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for
Scripted UDFs
+:page-layout: single-post
+:page-role: blog-post
+:page-post-date: February 18, 2022
+:page-post-author: The Apache Cassandra Community
+:description: The Apache Cassandra Community
+:keywords:
+
+If the operator has configured the cluster in a documented insecure way, it is
possible for a malicious user to execute remote code using scripted UDFs. We
are advising users of Apache Cassandra 3.0, 3.11 and 4.0 to upgrade or to reset
enable_user_defined_functions_threads back to true.
+
+The vulnerability being tracked in CASSANDRA-17352 makes it possible for an
attacker to execute arbitrary code on the host. It’s important to note that to
be exposed the user would have to opt-in to a configuration option that is
documented as unsafe in the configuration file. While it’s difficult to
estimate exposure to this CVE, it is likely narrow due to the need for opt-in.
Note that this configuration is documented as unsafe, and will continue to be
considered unsafe after this CVE.
+
+Mitigation:
+
+1. When running Apache Cassandra with the following configuration:
+```
+enable_user_defined_functions: true
+enable_scripted_user_defined_functions: true
+enable_user_defined_functions_threads: false
+```
+
+Set `enable_user_defined_functions_threads: true` (this is default)
+
+[start=2]
+2. We suggest 3.0 users should upgrade to 3.0.26; 3.11 users should upgrade to
3.11.12; and 4.0 users should upgrade to 4.0.3.
\ No newline at end of file
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
