This is an automated email from the ASF dual-hosted git repository. edimitrova pushed a commit to branch trunk in repository https://gitbox.apache.org/repos/asf/cassandra-website.git
The following commit(s) were added to refs/heads/trunk by this push: new c813553 CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394 c813553 is described below commit c8135531e97d9f0de4fc39437c6c18e18e6e4f79 Author: Diogenese Topper <diotop...@gmail.com> AuthorDate: Fri Feb 18 11:30:00 2022 -0800 CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394 --- site-content/source/modules/ROOT/pages/blog.adoc | 25 ++++++++++++++++++++++ .../modules/ROOT/pages/blog/Upgrade-Advisory2.adoc | 25 ++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/site-content/source/modules/ROOT/pages/blog.adoc b/site-content/source/modules/ROOT/pages/blog.adoc index 946af0f..14e51cd 100644 --- a/site-content/source/modules/ROOT/pages/blog.adoc +++ b/site-content/source/modules/ROOT/pages/blog.adoc @@ -14,6 +14,31 @@ NOTES FOR CONTENT CREATORS [openblock,card-header] ------ [discrete] +=== Apache Cassandra Upgrade Advisory +[discrete] +==== February 18, 2022 +------ +[openblock,card-content] +------ +If the operator has configured the cluster in a documented insecure way, it is possible for malicious users to execute remote code using scripted UDFs. Users of Apache Cassandra 3.0, 3.11, and 4.0 to upgrade or to reset enable_user_defined_functions_threads back to true. + +[openblock,card-btn card-btn--blog] +-------- + +[.btn.btn--alt] +xref:blog/Upgrade-Advisory2.adoc[Read More] +-------- + +------ +---- +//end card + +//start card +[openblock,card shadow relative test] +---- +[openblock,card-header] +------ +[discrete] === Behind the scenes of an Apache Cassandra Release [discrete] ==== February 18, 2022 diff --git a/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc b/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc new file mode 100644 index 0000000..c4353be --- /dev/null +++ b/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc @@ -0,0 +1,25 @@ += Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs +:page-layout: single-post +:page-role: blog-post +:page-post-date: February 18, 2022 +:page-post-author: The Apache Cassandra Community +:description: The Apache Cassandra Community +:keywords: + +If the operator has configured the cluster in a documented insecure way, it is possible for a malicious user to execute remote code using scripted UDFs. We are advising users of Apache Cassandra 3.0, 3.11 and 4.0 to upgrade or to reset enable_user_defined_functions_threads back to true. + +The vulnerability being tracked in CASSANDRA-17352 makes it possible for an attacker to execute arbitrary code on the host. It’s important to note that to be exposed the user would have to opt-in to a configuration option that is documented as unsafe in the configuration file. While it’s difficult to estimate exposure to this CVE, it is likely narrow due to the need for opt-in. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE. + +Mitigation: + +1. When running Apache Cassandra with the following configuration: +``` +enable_user_defined_functions: true +enable_scripted_user_defined_functions: true +enable_user_defined_functions_threads: false +``` + +Set `enable_user_defined_functions_threads: true` (this is default) + +[start=2] +2. We suggest 3.0 users should upgrade to 3.0.26; 3.11 users should upgrade to 3.11.12; and 4.0 users should upgrade to 4.0.3. \ No newline at end of file --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org