Problem

Issue:

On February 11, 2022, DataStax was made aware of an RCE (Remote Code Execution) security vulnerability in Apache Cassandra that has been assigned to CVE-2021-44521 with a CVSS 8.4/10. On Feb 14, 2022, JFrog's Security Research team publicly disclosed this vulnerability in Apache Cassandra. DataStax provides support for Apache Cassandra and its DataStax Enterprise (DSE), Astra Classic and Astra Serverless products are based on Apache Cassandra. 

Affected DataStax product versions:

DataStax Enterprise (DSE) versions 5.1, 6.0, 6.7, and 6.8 are NOT impacted by CVE-2021-44521 in their default configuration. If you are using these products with a non default configuration, please refer to the “Mitigation for DSE customers” section below to determine if you are impacted and need to take further action. We are working on updated versions of DSE that mitigate the issue and will make it available before Friday (2/18/2022). 

Astra Classic and Astra Serverless are not affected by CVE 2021-44521.

Apache Cassandra versions 3.0, 3.11 and 4.0 are not impacted by CVE 2021-44521 in their default configuration. If you are using these products with a non-default configuration, please refer to the “Mitigation for Apache Cassandra” section below to determine if you are impacted and need to take further action. Updated versions of Apache Cassandra that mitigate the issue are already available.

Database community tools like Reaper, Medusa, Quarkus Extension for Apache Cassandra, Management API for Apache Cassandra, DSBulk, Stargate, and Java Drivers are NOT impacted by CVE 2021-44521.

DataStax OpsCenter and DataStax OpsCenter agents NOT impacted by CVE 2021-44521.

Initial investigations for the past 5 days do not show any Indicators of Compromise(IoCs). DataStax will continue to monitor and investigate the situation and provide updates of any further developments. 

Background:

CVE 2021-44521 Overview: 

When running Apache Cassandra or DSE with the following configuration: 

enable_user_defined_functions: true 
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false 
authenticator: AllowAllAuthenticator
 

It is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE. 

CVE 2021-44521 has a CVSS risk score of 8.4/10, rated as high risk. 

Mitigation for DSE customers:

If you're running DSE in your environment, verify your configuration settings in the cassandra.yaml. They should be as follows:

If your settings are different and match the ones listed in the background section above, then your environment is susceptible to exploitation of CVE 2021-44521. We recommend either rolling back the configuration to the default settings listed above or upgrading your DSE version once we make updates available (ETA Friday 2/18/2022). 

Mitigation for Apache Cassandra customers:

If you’re running Apache Cassandra in your environment, verify your configuration settings in the cassandra.yaml. They should be as follows:

If your settings are different and match the ones listed in the background section above, then your environment is susceptible to exploitation of CVE-2021-44521. We recommend either rolling back the configuration to the default settings listed above or upgrading your Apache Cassandra version to 3.0.26, 3.11.12, and 4.0.2 to avoid possible exploitation. These versions address the flaw by adding a new flag "allow_extra_insecure_udfs" that's set to false by default and prevents exploits based on turning off the security manager.

Last Reviewed Date: 12/21/2023