Researchers have revealed details of a now-patched high-severity security vulnerability in Apache Cassandra that, if left unaddressed, could be abused to gain remote code execution (RCE) on affected installations. Apache Cassandra is an open-source, distributed, NoSQL database management system for managing very large amounts of structured data across commodity servers.

Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability concerns a specific scenario where the configuration for user-defined functions (UDFs) are enabled, effectively allowing an attacker to leverage the Nashorn JavaScript engine, escape the sandbox, and achieve execution of untrusted code.

Specifically, it was found that Cassandra deployments are vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:

• enable_user_defined_functions: true
• enable_scripted_user_defined_functions: true
• enable_user_defined_functions_threads: false

When the [enable_user_defined_functions_threads] option is set to false, all invoked UDF functions run in the Cassandra daemon thread, which has a security manager with some permissions, thereby allowing the adversary to disable the security manager and break out of the sandbox and run arbitrary shell commands on the server.

Apache Cassandra users are encouraged to upgrade to versions 3.0.26, 3.11.12, and 4.0.2 to avoid possible exploitation, which addresses the flaw by adding a new flag "allow_extra_insecure_udfs" that's set to false by default and prevents turning off the security manager.