Researchers revealed a now-patched high-severity security vulnerability in Apache Cassandra. If unaddressed, the vulnerability could be abused to gain remote code execution (RCE) on affected installations.

In a blog, Omer Kaspi, security researcher at DevOps firm JFrog, said, "This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems, but luckily only manifests in non-default configurations of Cassandra." Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability concerns a specific scenario where the configuration for user-defined functions (UDFs) are enabled, effectively allowing an attacker to leverage the Nashorn JavaScript engine, escape the sandbox, and achieve execution of untrusted code, JFrog says.

Cassandra is a highly scalable, distributed NoSQL database that is extremely popular due to the benefits of its distributed nature. Cassandra is used by enterprises such as Netflix, Twitter, Urban Airship, Constant Contact, Reddit, Cisco, OpenX, Digg, CloudKick, Ooyala, and more. Cassandra is also extremely popular in DevOps and cloud-native development circles, as can be seen by its support in CNCF projects (such as Jaeger), JFrog says. 

Casey Bisson, Head of Product and Developer Relations at BluBracket, says Apache Cassandra is reported to be used as critical infrastructure supporting multiple top-tier internet giants, so a remote code execution vulnerability could have a broad impact with very serious consequences as a threat actor could read or manipulate sensitive data in vulnerable configurations. 

Fortunately, Bisson says, "default configurations are not vulnerable, and the configuration variable suggests the risk. However, if a threat actor can gain access to the configuration, they could enable the vulnerability without the operators being aware."

While the vulnerability is not as serious as Log4j, it does appear to be mobile and potentially widespread. John Bambenek, Principal Threat Hunter at Netenrich, explains, "Unfortunately, there is no way to know exactly how many installations are vulnerable, and this is likely the kind of vulnerability that automated vulnerability scanners will miss. Enterprises will have to go into the configuration files of every Cassandra instance to determine what their risk is."