Select Page

Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations.

“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra,” Omer Kaspi, security researcher at DevOps firm JFrog, said in a technical write-up published Tuesday.

Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.

Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability concerns a specific scenario where the configuration for user-defined functions (UDFs) are enabled, effectively allowing an attacker to leverage the Nashorn JavaScript engine, escape the sandbox, and achieve execution of untrusted code.

images from Hacker News