[
https://issues.apache.org/jira/browse/CASSANDRA-17352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17493903#comment-17493903
]
Tomasz Lasica edited comment on CASSANDRA-17352 at 2/17/22, 12:11 PM:
----------------------------------------------------------------------
If I understand correctly to exploit following conditions are required:
(after
[https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/]
)
Cassandra deployments are vulnerable to CVE-2021-44521 when the
*cassandra.yaml* configuration file contains the following definitions:
{code}
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
{code}
And I wonder what will be the behavior of the patch with following settings:
{code}
enable_user_defined_functions: true
enable_scripted_user_defined_functions: false
enable_user_defined_functions_threads: false
allow_insecure_udfs: false (default after upgrade)
{code}
In this case there is no vulnerability yet I think ConfigurationException will
be fired?
Is this expected behavior?
was (Author: tomasz.lasica):
If I understand correctly to exploit following conditions are required:
(after
[https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/]
)
Cassandra deployments are vulnerable to CVE-2021-44521 when the
*cassandra.yaml* configuration file contains the following definitions:
{code}
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
{code}
And I wonder what will be the behavior of the patch with following settings:
{code}
enable_user_defined_functions: true
enable_scripted_user_defined_functions: false
enable_user_defined_functions_threads: false
allow_insecure_udfs: false (default after upgrade)
{code}
In this case there is no vulnerability yet I think ConfigurationException will
be fired?
> CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-17352
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17352
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/UDF
> Reporter: Marcus Eriksson
> Assignee: Marcus Eriksson
> Priority: Normal
> Fix For: 3.0.26, 3.11.12, 4.0.2
>
>
> When running Apache Cassandra with the following configuration:
> enable_user_defined_functions: true
> enable_scripted_user_defined_functions: true
> enable_user_defined_functions_threads: false
> it is possible for an attacker to execute arbitrary code on the host. The
> attacker would need to have enough permissions to create user defined
> functions in the cluster to be able to exploit this. Note that this
> configuration is documented as unsafe, and will continue to be considered
> unsafe after this CVE.
> This issue is being tracked as CASSANDRA-17352
> Mitigation:
> Set `enable_user_defined_functions_threads: true` (this is default)
> or
> 3.0 users should upgrade to 3.0.26
> 3.11 users should upgrade to 3.11.12
> 4.0 users should upgrade to 4.0.2
> Credit:
> This issue was discovered by Omer Kaspi of the JFrog Security vulnerability
> research team.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
