You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by mc...@apache.org on 2022/02/18 10:21:52 UTC

[cassandra] branch cassandra-3.0 updated: Added CVE-2021-44521 to CHANGES.txt, NEWS.txt

This is an automated email from the ASF dual-hosted git repository.

mck pushed a commit to branch cassandra-3.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git


The following commit(s) were added to refs/heads/cassandra-3.0 by this push:
     new 679740f  Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
679740f is described below

commit 679740ff487490d7d2fb0bf0d090e955a8092404
Author: Erick Ramirez <er...@apache.org>
AuthorDate: Fri Feb 18 04:48:01 2022 +0000

    Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
    
    patch by Erick Ramirez; reviewed by Marcus Eriksson, Mick Semb Wever for CASSANDRA-17388
---
 CHANGES.txt |  1 +
 NEWS.txt    | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/CHANGES.txt b/CHANGES.txt
index ff7bcea..6705934 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -5,6 +5,7 @@
 
 
 3.0.26
+ * Extend operator control over the UDF threading model for CVE-2021-44521 (CASSANDRA-17352)
  * Fix conversion from megabits to bytes in streaming rate limiter (CASSANDRA-17243)
  * Upgrade logback to 1.2.9 (CASSANDRA-17204)
  * Avoid race in AbstractReplicationStrategy endpoint caching (CASSANDRA-16673)
diff --git a/NEWS.txt b/NEWS.txt
index d204aab..f0a88ca 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -27,6 +27,24 @@ Logback has not been upgraded to avoid breaking deployments and customizations
 based on older versions. If you are using vulnerable components you will need
 to upgrade to a newer version of Logback or stop using the vulnerable components.
 
+PLEASE READ: CVE-2021-44521 SCRIPTED UDF SYSTEM ACCESS (CASSANDRA-17352)
+------------------------------------------------------------------------
+
+If you have enabled scripted UDFs and run without UDF threads in cassandra.yaml:
+
+    enable_user_defined_functions_threads: false
+
+an attacker could access java.lang.System methods and execute arbitrary code on
+the machine. Disabling UDF threads is still considered insecure and not recommended.
+
+To continue running without UDF threads you will need to set:
+
+    allow_insecure_udfs: true
+
+and if you need access to java.lang.System for existing UDFs, set:
+
+    allow_extra_insecure_udfs: true
+
 GENERAL UPGRADING ADVICE FOR ANY VERSION
 ========================================
 

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org