Vulnerability Details : CVE-2021-44521

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Vulnerability category: Execute code

Published 2022-02-11 13:15:08

Updated 2022-08-09 00:39:08

Source Apache Software Foundation

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2021-44521

Probability of exploitation activity in the next 30 days: 2.13%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 88 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2021-44521

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
8.5	HIGH	AV:N/AC:M/Au:S/C:C/I:C/A:C	6.8	10.0	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H	2.3	6.0	[email protected]
Attack Vector: Network Attack Complexity: Low Privileges Required: High User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2021-44521

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Assigned by: [email protected] (Secondary)
CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

Assigned by: [email protected] (Primary)

References for CVE-2021-44521

http://www.openwall.com/lists/oss-security/2022/02/11/4

Mailing List;Third Party Advisory
https://security.netapp.com/advisory/ntap-20220225-0001/

Third Party Advisory
https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/

Exploit;Mitigation;Third Party Advisory
https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356

Issue Tracking;Mailing List;Vendor Advisory

Products affected by CVE-2021-44521

Apache » Cassandra
Versions from including (>=) 3.0.0 and before (<) 3.0.26
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Matching versions
Apache » Cassandra
Versions from including (>=) 3.11.0 and before (<) 3.11.12
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Matching versions
Apache » Cassandra
Versions from including (>=) 4.0.0 and before (<) 4.0.2
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Matching versions