[cassandra-website] branch trunk updated: CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394

[ed...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

edimitrova pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/cassandra-website.git


The following commit(s) were added to refs/heads/trunk by this push:
     new c813553  CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394
c813553 is described below

commit c8135531e97d9f0de4fc39437c6c18e18e6e4f79
Author: Diogenese Topper <di...@gmail.com>
AuthorDate: Fri Feb 18 11:30:00 2022 -0800

    CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs
    patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394
---
 site-content/source/modules/ROOT/pages/blog.adoc   | 25 ++++++++++++++++++++++
 .../modules/ROOT/pages/blog/Upgrade-Advisory2.adoc | 25 ++++++++++++++++++++++
 2 files changed, 50 insertions(+)

diff --git a/site-content/source/modules/ROOT/pages/blog.adoc b/site-content/source/modules/ROOT/pages/blog.adoc
index 946af0f..14e51cd 100644
--- a/site-content/source/modules/ROOT/pages/blog.adoc
+++ b/site-content/source/modules/ROOT/pages/blog.adoc
@@ -14,6 +14,31 @@ NOTES FOR CONTENT CREATORS
 [openblock,card-header]
 ------
 [discrete]
+=== Apache Cassandra Upgrade Advisory
+[discrete]
+==== February 18, 2022
+------
+[openblock,card-content]
+------
+If the operator has configured the cluster in a documented insecure way, it is possible for malicious users to execute remote code using scripted UDFs. Users of Apache Cassandra 3.0, 3.11, and 4.0 to upgrade or to reset enable_user_defined_functions_threads back to true.
+
+[openblock,card-btn card-btn--blog]
+--------
+
+[.btn.btn--alt]
+xref:blog/Upgrade-Advisory2.adoc[Read More]
+--------
+
+------
+----
+//end card
+
+//start card
+[openblock,card shadow relative test]
+----
+[openblock,card-header]
+------
+[discrete]
 === Behind the scenes of an Apache Cassandra Release
 [discrete]
 ==== February 18, 2022
diff --git a/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc b/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc
new file mode 100644
index 0000000..c4353be
--- /dev/null
+++ b/site-content/source/modules/ROOT/pages/blog/Upgrade-Advisory2.adoc
@@ -0,0 +1,25 @@
+= Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs
+:page-layout: single-post
+:page-role: blog-post
+:page-post-date: February 18, 2022
+:page-post-author: The Apache Cassandra Community
+:description: The Apache Cassandra Community
+:keywords: 
+
+If the operator has configured the cluster in a documented insecure way, it is possible for a malicious user to execute remote code using scripted UDFs. We are advising users of Apache Cassandra 3.0, 3.11 and 4.0 to upgrade or to reset enable_user_defined_functions_threads back to true.
+
+The vulnerability being tracked in CASSANDRA-17352 makes it possible for an attacker to execute arbitrary code on the host. It’s important to note that to be exposed the user would have to opt-in to a configuration option that is documented as unsafe in the configuration file. While it’s difficult to estimate exposure to this CVE, it is likely narrow due to the need for opt-in. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
+
+Mitigation:
+
+1. When running Apache Cassandra with the following configuration:
+```
+enable_user_defined_functions: true
+enable_scripted_user_defined_functions: true
+enable_user_defined_functions_threads: false
+```
+
+Set `enable_user_defined_functions_threads: true` (this is default)
+
+[start=2]
+2. We suggest 3.0 users should upgrade to 3.0.26; 3.11 users should upgrade to 3.11.12; and 4.0 users should upgrade to 4.0.3.
\ No newline at end of file

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org