You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by mc...@apache.org on 2022/02/18 10:21:52 UTC
[cassandra] branch cassandra-3.0 updated: Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
This is an automated email from the ASF dual-hosted git repository.
mck pushed a commit to branch cassandra-3.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/cassandra-3.0 by this push:
new 679740f Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
679740f is described below
commit 679740ff487490d7d2fb0bf0d090e955a8092404
Author: Erick Ramirez <er...@apache.org>
AuthorDate: Fri Feb 18 04:48:01 2022 +0000
Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
patch by Erick Ramirez; reviewed by Marcus Eriksson, Mick Semb Wever for CASSANDRA-17388
---
CHANGES.txt | 1 +
NEWS.txt | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/CHANGES.txt b/CHANGES.txt
index ff7bcea..6705934 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -5,6 +5,7 @@
3.0.26
+ * Extend operator control over the UDF threading model for CVE-2021-44521 (CASSANDRA-17352)
* Fix conversion from megabits to bytes in streaming rate limiter (CASSANDRA-17243)
* Upgrade logback to 1.2.9 (CASSANDRA-17204)
* Avoid race in AbstractReplicationStrategy endpoint caching (CASSANDRA-16673)
diff --git a/NEWS.txt b/NEWS.txt
index d204aab..f0a88ca 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -27,6 +27,24 @@ Logback has not been upgraded to avoid breaking deployments and customizations
based on older versions. If you are using vulnerable components you will need
to upgrade to a newer version of Logback or stop using the vulnerable components.
+PLEASE READ: CVE-2021-44521 SCRIPTED UDF SYSTEM ACCESS (CASSANDRA-17352)
+------------------------------------------------------------------------
+
+If you have enabled scripted UDFs and run without UDF threads in cassandra.yaml:
+
+ enable_user_defined_functions_threads: false
+
+an attacker could access java.lang.System methods and execute arbitrary code on
+the machine. Disabling UDF threads is still considered insecure and not recommended.
+
+To continue running without UDF threads you will need to set:
+
+ allow_insecure_udfs: true
+
+and if you need access to java.lang.System for existing UDFs, set:
+
+ allow_extra_insecure_udfs: true
+
GENERAL UPGRADING ADVICE FOR ANY VERSION
========================================
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org