In Datastax Enterprise with IBM, a remote code execution (RCE) security vulnerability in Apache Cassandra exists and has been assigned to CVE-2021-44521.
CVEID:CVE-2021-44521
**DESCRIPTION:**Apache Cassandra could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when include configurations for enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: flase. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
Datastax Enterprise with IBM | 5.1, 6.0, 6.7, 6.8 |
Affected Product(s) | Version(s) | Remediation/Fix/Instructions |
---|---|---|
Datastax Enterprise with IBM | 5.1, 6.0, 6.7, 6.8 | DataStax Enterprise (DSE) versions 5.1, 6.0, 6.7, and 6.8 are NOT impacted by CVE-2021-44521 in their default configuration. The cassandra.yaml file should match the table below: |
|
|
|
|
|
—|—|—|—|—
|
false
enable_scripted_user_defined_functions
|
false
enable_user_defined_functions_threads
|
true
If cassandra.yaml file settings are different from the above table, please either roll back to default settings or update to the following releases:
Product | Version | Fixed Version |
---|---|---|
Datastax Enterprise with IBM | 5.1.x | 5.1.29 |
Datastax Enterprise with IBM | 6.0.x | 6.0.17 |
Datastax Enterprise with IBM | 6.7.x | 6.7.16 |
Datastax Enterprise with IBM | 6.8.x | 6.8.20 |
IBM strongly recommends addressing the vulnerability now by either upgrading to the latest versions (5.1.29, 6.0.17, 6.7.16, 6.8.20) or rolling back to default settings.