Security Bulletin: Datastax Enterprise with IBM is vulnerable to exploiting Apache Cassandra User-Defined Functions for Remote Code Execution

Summary

In Datastax Enterprise with IBM, a remote code execution (RCE) security vulnerability in Apache Cassandra exists and has been assigned to CVE-2021-44521.

Vulnerability Details

CVEID:CVE-2021-44521
**DESCRIPTION:**Apache Cassandra could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when include configurations for enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: flase. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

|

|

5.1

|

6.0

|

6.7

|

6.8

—|—|—|—|—

enable_user_defined_functions

|

false

enable_scripted_user_defined_functions

|

false

enable_user_defined_functions_threads

|

true

If cassandra.yaml file settings are different from the above table, please either roll back to default settings or update to the following releases:

Workarounds and Mitigations

IBM strongly recommends addressing the vulnerability now by either upgrading to the latest versions (5.1.29, 6.0.17, 6.7.16, 6.8.20) or rolling back to default settings.