Skip to content
Permalink
Browse files
CASSANDRA-17394 Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote …
…Code Execution for Scripted UDFs

patch by Diogenese Topper; reviewed by PMC for CASSANDRA-17394
  • Loading branch information
dtopdontstop authored and ekaterinadimitrova2 committed Feb 18, 2022
1 parent e98ea99 commit c8135531e97d9f0de4fc39437c6c18e18e6e4f79
Showing 2 changed files with 50 additions and 0 deletions.
@@ -8,6 +8,31 @@ NOTES FOR CONTENT CREATORS
- Replace post tile, date, description and link to you post.
////

//start card
[openblock,card shadow relative test]
----
[openblock,card-header]
------
[discrete]
=== Apache Cassandra Upgrade Advisory
[discrete]
==== February 18, 2022
------
[openblock,card-content]
------
If the operator has configured the cluster in a documented insecure way, it is possible for malicious users to execute remote code using scripted UDFs. Users of Apache Cassandra 3.0, 3.11, and 4.0 to upgrade or to reset enable_user_defined_functions_threads back to true.

[openblock,card-btn card-btn--blog]
--------
[.btn.btn--alt]
xref:blog/Upgrade-Advisory2.adoc[Read More]
--------

------
----
//end card

//start card
[openblock,card shadow relative test]
----
@@ -0,0 +1,25 @@
= Upgrade Advisory: 3.0, 3.11, 4.0 Possible for Remote Code Execution for Scripted UDFs
:page-layout: single-post
:page-role: blog-post
:page-post-date: February 18, 2022
:page-post-author: The Apache Cassandra Community
:description: The Apache Cassandra Community
:keywords:

If the operator has configured the cluster in a documented insecure way, it is possible for a malicious user to execute remote code using scripted UDFs. We are advising users of Apache Cassandra 3.0, 3.11 and 4.0 to upgrade or to reset enable_user_defined_functions_threads back to true.

The vulnerability being tracked in CASSANDRA-17352 makes it possible for an attacker to execute arbitrary code on the host. It’s important to note that to be exposed the user would have to opt-in to a configuration option that is documented as unsafe in the configuration file. While it’s difficult to estimate exposure to this CVE, it is likely narrow due to the need for opt-in. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

Mitigation:

1. When running Apache Cassandra with the following configuration:
```
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
```
Set `enable_user_defined_functions_threads: true` (this is default)

[start=2]
2. We suggest 3.0 users should upgrade to 3.0.26; 3.11 users should upgrade to 3.11.12; and 4.0 users should upgrade to 4.0.3.

0 comments on commit c813553

Please sign in to comment.