You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@cassandra.apache.org by "Marcus Eriksson (Jira)" <ji...@apache.org> on 2022/02/11 10:15:00 UTC

[jira] [Commented] (CASSANDRA-17352) CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs

    [ https://issues.apache.org/jira/browse/CASSANDRA-17352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17490815#comment-17490815 ] 

Marcus Eriksson commented on CASSANDRA-17352:
---------------------------------------------

It is possible for an attacker to create a scripted UDF which executes arbitrary code on the server.

Attacker needs to have enough permissions to create user defined functions on the server, and  {{enable_user_defined_functions_threads}} must have been changed from {{false}} to {{true}} by the operator

https://github.com/apache/cassandra/commit/5c9ba06dd31157cd224af2cec75521fefe2c9883

to continue running with {{enable_user_defined_functions_threads: false}} setting {{allow_insecure_udfs: true}} is required

to continue accessing {{System.*}} classes, {{allow_extra_insecure_udfs: true}} is required

> CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs
> -------------------------------------------------------------------------
>
>                 Key: CASSANDRA-17352
>                 URL: https://issues.apache.org/jira/browse/CASSANDRA-17352
>             Project: Cassandra
>          Issue Type: Bug
>          Components: Feature/UDF
>            Reporter: Marcus Eriksson
>            Assignee: Marcus Eriksson
>            Priority: Normal
>
> When running Apache Cassandra with the following configuration:
> enable_user_defined_functions: true
> enable_scripted_user_defined_functions: true
> enable_user_defined_functions_threads: false 
> it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
> This issue is being tracked as CASSANDRA-17352
> Mitigation:
> Set `enable_user_defined_functions_threads: true` (this is default)
> or
> 3.0 users should upgrade to 3.0.26
> 3.11 users should upgrade to 3.11.12
> 4.0 users should upgrade to 4.0.2
> Credit:
> This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org