High-Severity RCE Bug Found in Popular Apache Cassandra Database

On the plus side, only instances with non-standard not recommended configurations are vulnerable. On the downside, those configurations aren’t easy to track down, and it’s easy as pie to exploit.

Researchers have shared details about a now-patched, high-severity security bug in the Apache Cassandra open-source NoSQL distributed database that’s easy to exploit and, if left unpatched, could enable attackers to gain remote code execution (RCE).

The bug, which involves how Cassandra creates user-defined-functions (UDFs) to perform custom processing of data, is tracked as CVE-2021-44521, with a high-severity rating of 8.4.

The vulnerability was discovered by JFrog’s Security Research team. In a Tuesday writeup, JFrog security researcher Omer Kaspi said that on the upside, the only Cassandra systems that are vulnerable to the flaw are those with a particular, non-standard and, specifically, not recommended configuration.

On the downside, it’s a snap to exploit, JFrog has already created a proof-of-concept (PoC) exploit. Another downside: This database is everywhere.

“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra,” Kaspi said in his writeup.

What, and Where, Exactly, is

Read More: https://threatpost.com/high-severity-rce-bug-found-in-popular-apache-cassandra-database/178464/