JFrog Finds RCE Issue in Apache Cassandra – InApps Technology 2025

Main Contents:

JFrog Finds RCE Issue in Apache Cassandra – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn JFrog Finds RCE Issue in Apache Cassandra – InApps Technology in today’s post !

Key Summary

This article details a critical Remote Code Execution (RCE) vulnerability (CVE-2021-44521) in Apache Cassandra, a widely used open-source NoSQL database relied on by companies like Netflix, Twitter, and Reddit. Discovered by JFrog’s Security Research team, the issue poses a severe risk but can be mitigated with proper configuration and updates. Key points include:

Vulnerability Overview:
- CVE-2021-44521: Rated 8.4 on the Common Vulnerability Scoring System (CVSS), indicating a high-severity issue.
- Impact: Allows attackers to shut down the entire Cassandra daemon, disrupting critical services.
- Exploitation: Abuses the Nashorn JavaScript engine in the Java Runtime Environment (JRE), which runs on the JVM. A successful attack escapes the sandbox, enabling RCE.
- Specific Exploit: An attacker with permission to create User-Defined Functions (UDFs) can use a simple while(true) loop to overload and crash the database.
- Risk Factor: Default settings are not vulnerable, but enabling specific configurations in cassandra.yaml exposes the system:
  - enable_user_defined_functions: true
  - enable_scripted_user_defined_functions: true
  - enable_user_defined_functions_threads: false
- Critical Note: Default settings allow anonymous users to create and execute arbitrary UDFs, amplifying the risk.
Mitigation Strategies:
- Disable UDFs: Set enable_user_defined_functions to false (default) if UDFs are not needed.
- Enable Thread Safety: Set enable_user_defined_functions_threads to true (default) to limit UDF impact.
- Restrict Permissions: Remove ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE, and FUNCTION permissions for untrusted users (including anonymous) for CREATE, ALTER, and EXECUTE queries.
- Upgrade Cassandra:
  - Version 3.0.x: Upgrade to 3.0.26
  - Version 3.11.x: Upgrade to 3.11.12
  - Version 4.0.x: Upgrade to 4.0.2
- Urgency: Immediate patching is critical due to the high potential for disruption.
InApps Insight:
- This vulnerability underscores the importance of secure configuration and timely updates in critical systems like Apache Cassandra.
- InApps Technology, with expertise in secure software development, can assist clients in auditing and securing Cassandra deployments, ensuring robust, attack-resistant database solutions.

How Bad Is It?

So how bad is the Cassandra CVE-2021-44521 vulnerability? Try a Common Vulnerability Scoring System (CVSS) 8.4 level of bad. For those of you playing at home, that’s high, which is another way of saying really bad. It would be all too easy to pop this security crack open.

It works by abusing Cassandra’s Nashorn engine in the Java Runtime Environment (JRE) which is a JavaScript engine that runs on top of the Java Virtual Machine (JVM). Usually, you can’t do anything by attacking Nashorn because it works inside a sandbox. A successful attack, however, can break a hacker out of the sandbox and let them run an RCE.

The most obnoxious of these is to get a user-defined function (UDF) to run more than it allotted time. Then, the entire Cassandra daemon will shut down, not just the UDF’s thread. Then you can knock out the entire database by creating a function that loops forever with a simple while(true) loop.

True, to do this the attacker would need to have enough permissions to create UDF in the first place to be able to exploit this. But, under the above settings, all users — I repeat all users — are allowed to create and execute arbitrary UDFs. Oh, and did I mention all users mean anonymous logins are enabled by default too? So, yes even an anonymous user could be used to make a successful assault. There’s a reason why this has such a high CVSS score.

What Can You Do?

So, what can you do about it? Fortunately, a lot.

First, you can mitigate the issue If UDFs are not actively used by being completely disabled by setting enable_user_defined_functions to false, which is the default value. If you must have UDFs you can set enable_user_defined_functions_threads to true. This is again the default value. Finally, you can–and should–remove the permissions of creating, altering, and executing functions for untrusted users by removing the following permissions: ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE, and FUNCTION for CREATE, ALTER, and EXECUTE queries. I highly recommend you do this last one. Allowing untrusted users to do anything requiring trust is, by its very nature, a stupid idea.

And, of course, you should upgrade your Cassandra software to one of the following versions, which resolves CVE-2021-44521:

3.0.x users should upgrade to 3.0.26

3.11.x users should upgrade to 3.11.12

4.0.x users should upgrade to 4.0.2

That done, you can relax and get back to work. But, first, patch your Cassandra software. The potential for disaster here is too high to put this fix off until tomorrow.

InApps Technology is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: JFrog.

Source: InApps.net

Rate this post

Phu Nguyen

As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.