question

rangumanikar_88470 avatar image
rangumanikar_88470 asked Erick Ramirez edited

What steps are required to mitigate the UDF exploit in CVE-2021-44521?

Hi team,

CVE-2021-44521 – Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

Do we have to take any changes from DB side apart from upgrading to fixed versions ?

Regards,

Mani Rangu

cveuser-defined function
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

starlord avatar image
starlord answered rangumanikar_88470 commented

You can reference CASSANDRA-17352, if you upgrade to a fixed version that is the only action necessary.

1 comment Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.

rangumanikar_88470 avatar image rangumanikar_88470 commented ·

Hi @starlord ,

Thanks for the update.

We recently upgraded Cassandra db to 4.0.1 so we are keeping upgrade as 2nd option.

As per this ticket https://issues.apache.org/jira/browse/CASSANDRA-17352 ,

We will be good if we set this parameter(enable_user_defined_functions_threads: true) in cassandra.yaml ?

Regards,

Mani Rangu

0 Likes 0 ·
Erick Ramirez avatar image
Erick Ramirez answered Erick Ramirez edited

Background

An attacker can exploit the vulnerability described in CVE-2021-44521 if scripted user-defined functions are enabled on a node (disabled by default):

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true

and UDF threads is disabled (default is true):

enable_user_defined_functions_threads: false

Risk

A cluster is not vulnerable to the exploit under the following conditions:

  • UDFs are disabled (default configuration).
  • UDFs are enabled and UDF threads is enabled by default.

For a cluster to be vulnerable, an administrator has chosen to disable UDF threads against recommendation and it is not safe to do so.

An attacker requires permissions to create user-defined functions and nodes are particularly vulnerable if authentication is not enabled on the cluster:

authenticator: AllowAllAuthenticator

It is possible for an attacker to create functions that can execute arbitrary code on a node with this exploit.

Workaround

Disabling UDF threads is insecure and not recommended since it effectively disables the security manager in Java.

Re-enable UDF threads in cassandra.yaml and restart each node in the cluster for the change to take effect:

enable_user_defined_functions_threads: true

Solution

CVE-2021-44521 has been patched in Apache Cassandra 3.0.26, 3.11.12 and 4.0.2 (CASSANDRA-17352).

If an administrator wants to run user-defined functions without threads (not recommended) on patched clusters, an administrator will need to explicitly allow insecure UDFs with:

allow_insecure_udfs: true

in cassandra.yaml. If existing UDFs require access to java.lang.System (not recommended), set:

allow_extra_insecure_udfs: true

Note that it is not necessary to upgrade if UDF threads is enabled (default) on a cluster.

Share
10 |1000

Up to 8 attachments (including images) can be used with a maximum of 1.0 MiB each and 10.0 MiB total.