Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix Apache Cassandra RCE Vulnerability- CVE-2021-44521
February 16, 2022

How To Fix Apache Cassandra RCE Vulnerability- CVE-2021-44521

How To Fix Apache Cassandra Rce Vulnerability Cve 2021 44521

The security research team from JFrog uncovered a remote code execution vulnerability in Apache Cassandra. The flaw is tracked under the CVE ID CVE-2021-44521 is assigned a base score of 8.4 allows attackers to perform remote code execution vulnerability on affected versions of Apache Cassandra database software. Since the vulnerability is easy to exploit and has the potential to wreak havoc on systems, it is very important to fix the CVE-2021-44521 vulnerability. If you are using Cassandra database in any of your DevOps projects, please read this post. We have published this blog post to let you know how to fix the Apache Cassandra RCE vulnerability and how to mitigate the flaw in the case of being unable to apply the permanent fix.

Before we jump into the topic, it is necessary to understand certain aspects to learn about the flaw. Lets get started.

What Is Apache Cassandra?

Apache Cassandra is a well-known NoSQL database developed in Java. Its Scalability and distributed nature made it extremely popular. Companies like Netflix, Twitter, Urban Airship, Constant Contact, Reddit, Cisco, OpenX, Digg, CloudKick, Ooyala, etc., will use this database extensively in their development projects. Its distributed nature made it more popular in the DevOps and cloud-native development landscape. A well-known cloud-based turnkey solution DataStax (a serverless, multi-cloud DBaaS) is built on Cassandra. 

What Is Nashorn Engine?

Since Cassandra is a NoSQL database, it stores data in JSON files. It uses User-Defined-Functions (UDFs) (written in Java and JavaScrip) to perform custom processing of data in the database. Nashorn is a JavaScript Engine that runs on top of the JVM, used to interpret UDFs written in JavaScript. 

Cassandra wrapped the Nashorn Engine with is a SandBox making Nashorn execution more secure. Or else anyone can abuse Nashorn by sending malicious untrusted code or UDFs. 

How An Attacker Exploit This Apache Cassandra RCE Vulnerability- CVE-2021-44521?

Report says that Attackers could exploit the Nashorn engine only with this non-default configuration set in the cassandra.yaml configuration file. Use your choice of text editor to edit the /etc/cassandra/cassandra.yaml file.

$ sudo nano /etc/cassandra/cassandra.yaml
# Enable UDF support for both Java and JavaScript
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true

# This is the key for the exploitation of CVE-2021-44521. It's default value is 'true'.
# true == Each invoked UDF function will run in a different thread, with a security manager without any permissions. Thsi lead to DoS attack.
# false == All invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. This lead to SandBox escape and RCE.
enable_user_defined_functions_threads: false

When the flag enable_user_defined_functions_threads in cassandra.yaml file is set to false, attackers canescape the sandbox and achieve remote code execution.

Note: These flags can also be configured via the configuration file.

About the enable_user_defined_functions_threads Flag:

This is the key to the exploitation of CVE-2021-44521. Its default value is true.true == Each invoked UDF function will run in a different thread, with a security manager without any permissions. This will lead to a DoS attack.false == All invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions. This will lead to SandBox escape and RCE.

JFrog Security team says that enable_user_defined_functions_threads is set to true by default, which means each invoked UDF function will run in a different thread, with a security manager without any permissions. This enables a malicious user to create a UDF that will shut down the Cassandra daemon. This is due to the behavior of the UDF timeout mechanism, governed by the user_defined_function_fail_timeout flag. If a UDF function runs more than the allotted time, the entire Cassandra daemon will shut down. An attacker can easily DoS the entire database by creating a function that loops forever with while(true).

When enable_user_defined_functions_threads is set to false, the UDF code runs in the daemon thread, which specifically has the permission to invoke setSecurityManager! This immediately allows us to turn off the security manager. This actually allows us to bypass any class filter by creating a new script engine, which is not restricted by the class filtering mechanism.

PoC Of Apache Cassandra RCE Vulnerability- CVE-2021-44521:

Kaspi published a PoC in the blog post. The researcher showed how a file named hacked is created on the Cassandra server.

How To Fix Apache Cassandra RCE Vulnerability- CVE-2021-44521?

Cassandra database addressed this vulnerability by adding a new flag allow_extra_insecure_udfs in v3.0.26, v3.11.12, and v4.0.2.

The flag allow_extra_insecure_udfs is set to false by default, which prevents turning off the security manager and blocks UDFs from interacting with elements outside the sandbox.

We recommend users of Apache Cassandra upgrade to one of the following versions.

  • 3.0.x users should upgrade to 3.0.26

  • 3.11.x users should upgrade to 3.11.12

  • 4.0.x users should upgrade to 4.0.2

How to upgrade Apache Cassandra on Linux?

There are a few simple prerequisites before upgrading the Apache Cassandra database:
1. Take the system snapshot backup.
2. Remove all dead nodes.
3. Do not run nodetool repair or other tasks.

Step 1. Flush all memtables from the node

Run nodetool drain command before shut down the Cassandra service. This command will help in achieving these:
1. Flush all memtables from the node to SSTables on disk.
2. Stops listening for connections from the client and other nodes.
3. Prevents overcounts of counter data, and speeds up restart post-upgrade.

$ sudo nodetool drain -h hostname

Step 2. Stop Cassandra services.

$ sudo systemctl status cassandra

Step 3. Back up your Cassandra configuration files

Use this command to take the backup of cassandra.yaml

$ sudo cp /etc/cassandra/cassandra.yaml /etc/cassandra/cassandra.yaml.backup

Step 4. Install Java 8

Since Java 8 is the recommended version it is good to install Java 8 or set Java 8 as the default Java version.

Commands to install the Java 8 and set it as default version:

$ sudo apt-get update
$ sudo apt-get install oracle-java8-set-default
$ sudo java -version

If you already have Java 8 want to set it as default version. Run this command:

$ sudo update-alternatives –config java

Step 5. Install the new version of Apache Cassandra

$ sudo apt-get update
$ sudo apt-get install cassandra=3.11.12

Step 6. Check the services and start if not active and running

Commands to start | stop | restart | status Apache Cassandra database:

$ sudo systemctl status cassandra
$ sudo systemctl start cassandra
$ sudo systemctl stop cassandra
$ sudo systemctl restart cassandra

Check the logs for any issues:

$ tail -f /ttio/var/logs/cassandra/system.log

Step 7. Run nodetool upgradesstables

$ sudo nodetool upgradesstables

Check the logs for any issues:

$ tail -f /ttio/var/logs/cassandra/system.log

Step 8. Check the status of the cluster

$ nodetool -h hostname status

How to Mitigate Apache Cassandra RCE Vulnerability- CVE-2021-44521?

The vendor has recommended a few mitigation techniques for those who cant apply the permanent patch soon.

  1. If you are not using UDFs in your deployment, set these flags;

  2. Set the flag enable_user_defined_functions to false to disable the UDF completely.

  3. Set enable_user_defined_functions_threads to true if UDFs are needed.

  4. Removing the following permissions: ALL FUNCTIONS, ALL FUNCTIONS IN KEYSPACE and FUNCTION for CREATE, ALTER, and EXECUTE queries to remove the permissions of creating, altering, and executing functions for untrusted users.

We hope this post helps you know How to Fix Apache Cassandra RCE Vulnerability CVE-2021-44521. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, & Instagram and subscribe to receive updates like this. 

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Cloud & OS Platforms

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription