You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Jeremy Hanna (Jira)" <ji...@apache.org> on 2022/09/08 20:11:00 UTC
[jira] [Commented] (CASSANDRA-17352) CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs
[ https://issues.apache.org/jira/browse/CASSANDRA-17352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17601997#comment-17601997 ]
Jeremy Hanna commented on CASSANDRA-17352:
------------------------------------------
I just want to make sure the settings have the practical outcomes that are intended.
I can use UDFs with just the following setting:
{{enable_user_defined_functions: true}}
However if I want to enable multi-threaded behavior in the UDFs, I would need to set:
{{enable_user_defined_functions: true}}
{{enable_user_defined_functions_threads: false}}
{{allow_insecure_udfs: true}}
If I don't do the last one, {{allow_insecure_udfs: true}}, then the server doesn't start and it gives the warning/recommendation but also says that it would require that field to be set to true to continue.
Once these fields are set, I can start the server (in my case 3.11.13). However according to the [code|https://github.com/apache/cassandra/blob/cassandra-3.11/src/java/org/apache/cassandra/security/ThreadAwareSecurityManager.java#L186], it looks like the {{allow_extra_insecure_udfs}} setting should also be set to true for the server to start up. Otherwise it should throw an AccessDenied exception.
So my question is: is there a bug in the implementation where we allow it to start without setting {{allow_extra_insecure_udfs: true}}? Also if it does throw an AccessDenied exception, shouldn't it fail earlier when parsing the configuration with a log message that it is required?
That leads to another question about this, if it does require both flags to start the server, why do we have two flags? Why not just {{allow_insecure_udfs}} if there is no effective difference between setting {{allow_insecure_udfs}} and setting both of them. I know the intent from the ticket was that the {{allow_extra_insecure_udfs}} was to further relax security for those wanting to use the java.lang.System package in the UDF, but the line of code from the ThreadAwareSecurityManager seems to suggest that there is no difference.
> CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-17352
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17352
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/UDF
> Reporter: Marcus Eriksson
> Assignee: Marcus Eriksson
> Priority: Normal
> Fix For: 3.0.26, 3.11.12, 4.0.2
>
>
> When running Apache Cassandra with the following configuration:
> enable_user_defined_functions: true
> enable_scripted_user_defined_functions: true
> enable_user_defined_functions_threads: false
> it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
> This issue is being tracked as CASSANDRA-17352
> Mitigation:
> Set `enable_user_defined_functions_threads: true` (this is default)
> or
> 3.0 users should upgrade to 3.0.26
> 3.11 users should upgrade to 3.11.12
> 4.0 users should upgrade to 4.0.2
> Credit:
> This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org