Security News > 2022 > February > High-Severity RCE Bug Found in Popular Apache Cassandra Database
Researchers have shared details about a now-patched, high-severity security bug in the Apache Cassandra open-source NoSQL distributed database that's easy to exploit and, if left unpatched, could enable attackers to gain remote code execution.
In a Tuesday writeup, JFrog security researcher Omer Kaspi said that on the upside, the only Cassandra systems that are vulnerable to the flaw are those with a particular, non-standard and, specifically, not recommended configuration.
Cassandra is a highly scalable, widely used distributed database known for being efficient and highly available, given that such databases don't have a single point of failure: a big plus for businesses that can't lose data or endure system downtime.
"Cassandra is a highly scalable, distributed NoSQL database that is extremely popular due to the benefits of its distributed nature," Kaspi said.
The researcher added that Cassandra is also extremely popular in DevOps and cloud-native development circles, "As can be seen by its support in CNCF projects."
While researching the Cassandra UDF sandbox implementation, researchers realized that a mix of specific configuration options could allow them to abuse the Nashorn engine, escape the sandbox and achieve RCE: the vulnerability reported as CVE-2021-44521.
News URL
https://threatpost.com/high-severity-rce-bug-found-in-popular-apache-cassandra-database/178464/
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-11 | CVE-2021-44521 | Incorrect Permission Assignment for Critical Resource vulnerability in Apache Cassandra When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. | 8.5 |