This is an automated email from the ASF dual-hosted git repository.
mck pushed a commit to branch cassandra-3.0
in repository https://gitbox.apache.org/repos/asf/cassandra.git
The following commit(s) were added to refs/heads/cassandra-3.0 by this push:
new 679740f Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
679740f is described below
commit 679740ff487490d7d2fb0bf0d090e955a8092404
Author: Erick Ramirez <[email protected]>
AuthorDate: Fri Feb 18 04:48:01 2022 +0000
Added CVE-2021-44521 to CHANGES.txt, NEWS.txt
patch by Erick Ramirez; reviewed by Marcus Eriksson, Mick Semb Wever for
CASSANDRA-17388
---
CHANGES.txt | 1 +
NEWS.txt | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/CHANGES.txt b/CHANGES.txt
index ff7bcea..6705934 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -5,6 +5,7 @@
3.0.26
+ * Extend operator control over the UDF threading model for CVE-2021-44521
(CASSANDRA-17352)
* Fix conversion from megabits to bytes in streaming rate limiter
(CASSANDRA-17243)
* Upgrade logback to 1.2.9 (CASSANDRA-17204)
* Avoid race in AbstractReplicationStrategy endpoint caching (CASSANDRA-16673)
diff --git a/NEWS.txt b/NEWS.txt
index d204aab..f0a88ca 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -27,6 +27,24 @@ Logback has not been upgraded to avoid breaking deployments
and customizations
based on older versions. If you are using vulnerable components you will need
to upgrade to a newer version of Logback or stop using the vulnerable
components.
+PLEASE READ: CVE-2021-44521 SCRIPTED UDF SYSTEM ACCESS (CASSANDRA-17352)
+------------------------------------------------------------------------
+
+If you have enabled scripted UDFs and run without UDF threads in
cassandra.yaml:
+
+ enable_user_defined_functions_threads: false
+
+an attacker could access java.lang.System methods and execute arbitrary code on
+the machine. Disabling UDF threads is still considered insecure and not
recommended.
+
+To continue running without UDF threads you will need to set:
+
+ allow_insecure_udfs: true
+
+and if you need access to java.lang.System for existing UDFs, set:
+
+ allow_extra_insecure_udfs: true
+
GENERAL UPGRADING ADVICE FOR ANY VERSION
========================================
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
