Security Experts:

Connect with us

Hi, what are you looking for?



High-Severity Vulnerability Found in Apache Database System Used by Major Firms

Researchers detail code execution vulnerability in Apache Cassandra

Researchers detail code execution vulnerability in Apache Cassandra

JFrog’s security researchers on Tuesday published full technical details on a high-severity remote code execution vulnerability addressed in the latest version of Apache Cassandra.

A distributed NoSQL database that offers high scalability, Cassandra is popular among organizations such as Netflix, Reddit, Twitter, Cisco, Constant Contact, Digg, Urban Airship, OpenX, and more, as well as among cloud-native and DevOps development circles.

Tracked as CVE-2021-44521 (CVSS score of 8.4), the newly patched vulnerability only affects non-default configurations of the database – which mitigates the fact that it is easy to exploit – leading to complete system compromise.

The security error only exists if functionality to create user-defined-functions (UDFs) for custom processing of data is enabled in Cassandra, and can be exploited only if the attacker has enough permissions to create UDFs. The configuration is non-default and it has been documented as unsafe.

[READ: Log4Shell-Like Vulnerability Found in Popular H2 Database]

UDFs in Cassandra can be written in Java and JavaScript, with the latter using the Nashorn engine, which “is not guaranteed to be secure when accepting untrusted code,” meaning that it should run in a sandbox, JFrog explains.

In fact, Cassandra does implement a custom sandbox to restrict the UDF code, but JFrog discovered that, when a series of non-default configuration options are enabled, an attacker could “abuse the Nashorn engine, escape the sandbox and achieve remote code execution.”

Specifically, Cassandra deployments are vulnerable when they are configured to allow UDFs and scripted UDFs, but not UDF threads. By default, UDF threads are enabled, meaning that each invoked UDF function runs in a separate thread.

When UDFs are enabled, all users can create and execute arbitrary UDFs, including those logged in anonymously, JFrog explains.

In their technical write-up on CVE-2021-44521, the security firm also explained how it was able to escape Cassandra’s sandbox, and provided a demonstration of their proof-of-concept (PoC) code in action.

The security firm also notes that, during their research, several other issues were identified, including a denial of service attack and a remote code execution exploit via unsafe object deserialization.

CVE-2021-44521 was addressed with the release of Apache Cassandra versions 3.0.26, 3.11.12, and 4.0.2, and users are advised to upgrade to the patched iterations as soon as possible.

“Apache’s fix adds a new flag – allow_extra_insecure_udfs (false by default) which disallows turning off the security manager and blocks access to java.lang.System,” JFrog explains.

Users can also mitigate the impact of this vulnerability by disabling UDFs, by allowing UDF threads (the default configuration), and by denying permissions for untrusted users.

Related: Many Prometheus Endpoints Expose Sensitive Data

Related: HAProxy Vulnerability Leads to HTTP Request Smuggling

Related: Vulnerabilities in NicheStack TCP/IP Stack Affect Many OT Device Vendors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet