Home / Companies / JFrog / Blog / Post Details
Content Deep Dive

CVE-2021-44521: Exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

Blog post from JFrog

Post Details
Company
Date Published
Author
Omer Kaspi
Word Count
2,017
Company Posts That Month
9
Language
English
Hacker News Points
-
Summary

JFrog’s Security Research team uncovered a critical remote code execution (RCE) vulnerability in Apache Cassandra, designated as CVE-2021-44521 with a CVSS score of 8.4, which primarily affects non-default configurations. Apache Cassandra, a widely-used distributed NoSQL database, is vulnerable when specific configurations enable user-defined functions (UDFs) without adequate security measures, allowing malicious actors to exploit the Nashorn JavaScript engine to execute arbitrary code. Cassandra's default settings employ a security manager and class filtering to prevent such exploits, but modifying these configurations can lead to security breaches, including denial-of-service attacks and unsafe object deserialization via the cassandra-stressd tool. Mitigations include upgrading to patched versions of Cassandra, disabling UDFs if unused, or ensuring secure configurations by restricting UDF-related permissions. JFrog emphasizes the importance of prompt upgrading and security monitoring through tools like JFrog Xray to address these vulnerabilities.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Serverless 1 736 100 54 -14%