[
https://issues.apache.org/jira/browse/CASSANDRA-17352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17601997#comment-17601997
]
Jeremy Hanna commented on CASSANDRA-17352:
------------------------------------------
I just want to make sure the settings have the practical outcomes that are
intended.
I can use UDFs with just the following setting:
{{enable_user_defined_functions: true}}
However if I want to enable multi-threaded behavior in the UDFs, I would need
to set:
{{enable_user_defined_functions: true}}
{{enable_user_defined_functions_threads: false}}
{{allow_insecure_udfs: true}}
If I don't do the last one, {{allow_insecure_udfs: true}}, then the server
doesn't start and it gives the warning/recommendation but also says that it
would require that field to be set to true to continue.
Once these fields are set, I can start the server (in my case 3.11.13).
However according to the
[code|https://github.com/apache/cassandra/blob/cassandra-3.11/src/java/org/apache/cassandra/security/ThreadAwareSecurityManager.java#L186],
it looks like the {{allow_extra_insecure_udfs}} setting should also be set to
true for the server to start up. Otherwise it should throw an AccessDenied
exception.
So my question is: is there a bug in the implementation where we allow it to
start without setting {{allow_extra_insecure_udfs: true}}? Also if it does
throw an AccessDenied exception, shouldn't it fail earlier when parsing the
configuration with a log message that it is required?
That leads to another question about this, if it does require both flags to
start the server, why do we have two flags? Why not just
{{allow_insecure_udfs}} if there is no effective difference between setting
{{allow_insecure_udfs}} and setting both of them. I know the intent from the
ticket was that the {{allow_extra_insecure_udfs}} was to further relax security
for those wanting to use the java.lang.System package in the UDF, but the line
of code from the ThreadAwareSecurityManager seems to suggest that there is no
difference.
> CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs
> -------------------------------------------------------------------------
>
> Key: CASSANDRA-17352
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17352
> Project: Cassandra
> Issue Type: Bug
> Components: Feature/UDF
> Reporter: Marcus Eriksson
> Assignee: Marcus Eriksson
> Priority: Normal
> Fix For: 3.0.26, 3.11.12, 4.0.2
>
>
> When running Apache Cassandra with the following configuration:
> enable_user_defined_functions: true
> enable_scripted_user_defined_functions: true
> enable_user_defined_functions_threads: false
> it is possible for an attacker to execute arbitrary code on the host. The
> attacker would need to have enough permissions to create user defined
> functions in the cluster to be able to exploit this. Note that this
> configuration is documented as unsafe, and will continue to be considered
> unsafe after this CVE.
> This issue is being tracked as CASSANDRA-17352
> Mitigation:
> Set `enable_user_defined_functions_threads: true` (this is default)
> or
> 3.0 users should upgrade to 3.0.26
> 3.11 users should upgrade to 3.11.12
> 4.0 users should upgrade to 4.0.2
> Credit:
> This issue was discovered by Omer Kaspi of the JFrog Security vulnerability
> research team.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
