CVE-2021-44521
📋 TL;DR
This vulnerability allows authenticated attackers with permissions to create user-defined functions in Apache Cassandra to execute arbitrary code on the host when specific unsafe configurations are enabled. It affects Apache Cassandra clusters where user-defined functions are enabled with scripted functions allowed but without dedicated threads. The configuration is documented as unsafe but was still exploitable.
💻 Affected Systems
- Apache Cassandra
📦 What is this software?
Cassandra by Apache
Cassandra by Apache
Cassandra by Apache
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Cassandra host with root-level arbitrary code execution, leading to data theft, system takeover, and lateral movement within the network.
Likely Case
Privileged authenticated attackers gaining shell access on Cassandra nodes, potentially accessing sensitive data and disrupting database operations.
If Mitigated
Limited impact if proper access controls prevent unauthorized users from creating user-defined functions and unsafe configurations are disabled.
🎯 Exploit Status
Exploitation requires authenticated access with permissions to create user-defined functions. Public proof-of-concept code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Cassandra 4.0.3 and 3.11.12
Vendor Advisory: https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
Restart Required: Yes
Instructions:
1. Backup your Cassandra data and configuration. 2. Download and install Apache Cassandra 4.0.3 or 3.11.12 from the official website. 3. Stop the Cassandra service. 4. Apply the update. 5. Restart the Cassandra service. 6. Verify the version is updated.
🔧 Temporary Workarounds
Disable unsafe configuration
linuxDisable the vulnerable configuration by setting enable_user_defined_functions: false or enable_scripted_user_defined_functions: false in cassandra.yaml
sed -i 's/enable_user_defined_functions: true/enable_user_defined_functions: false/g' /etc/cassandra/cassandra.yaml
sed -i 's/enable_scripted_user_defined_functions: true/enable_scripted_user_defined_functions: false/g' /etc/cassandra/cassandra.yaml
Enable dedicated threads
linuxSet enable_user_defined_functions_threads: true to use dedicated threads for user-defined functions
sed -i 's/enable_user_defined_functions_threads: false/enable_user_defined_functions_threads: true/g' /etc/cassandra/cassandra.yaml
🧯 If You Can't Patch
- Restrict permissions to create user-defined functions to only trusted administrators
- Implement network segmentation to isolate Cassandra clusters from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check cassandra.yaml for enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: falseCheck Version:
nodetool versionVerify Fix Applied:
Verify Cassandra version is 4.0.3 or higher, or 3.11.12 or higher using nodetool version📡 Detection & Monitoring
Log Indicators:
- Unusual user-defined function creation events
- Execution of scripted functions from untrusted sources
- System command execution in Cassandra logs
Network Indicators:
- Unexpected outbound connections from Cassandra nodes
- Network traffic to suspicious external IPs from Cassandra
SIEM Query:
source="cassandra.log" AND ("user_defined_function" OR "UDF") AND ("create" OR "execute")🔗 References
- http://www.openwall.com/lists/oss-security/2022/02/11/4
- https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
- https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
- https://security.netapp.com/advisory/ntap-20220225-0001/
- http://www.openwall.com/lists/oss-security/2022/02/11/4
- https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
- https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
- https://security.netapp.com/advisory/ntap-20220225-0001/
