CVE-2021-44521 Overview
CVE-2021-44521 is a critical remote code execution vulnerability in Apache Cassandra that allows attackers to execute arbitrary code on the host system. The vulnerability exists when Apache Cassandra is configured with a specific combination of User-Defined Functions (UDF) settings that bypass security sandboxing, enabling malicious code execution through crafted UDF payloads.
Critical Impact
An authenticated attacker with permissions to create user-defined functions can escape the Cassandra security sandbox and execute arbitrary code on the underlying host system, potentially leading to complete system compromise.
Affected Products
- Apache Cassandra (multiple versions with vulnerable UDF configuration)
- Systems running Cassandra with enable_user_defined_functions: true
- Systems running Cassandra with enable_scripted_user_defined_functions: true and enable_user_defined_functions_threads: false
Discovery Timeline
- 2022-02-11 - CVE-2021-44521 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-44521
Vulnerability Analysis
This vulnerability stems from a code injection flaw (CWE-94) combined with incorrect permission assignment for critical resources (CWE-732) in Apache Cassandra's User-Defined Functions feature. When Cassandra is configured to run scripted UDFs without thread isolation (enable_user_defined_functions_threads: false), the security sandbox designed to restrict UDF execution can be bypassed.
The attack requires network access to the Cassandra cluster and high-level privileges (the ability to create UDFs), but once exploited, the impact extends beyond the Cassandra instance to the underlying host system. This scope change characteristic makes the vulnerability particularly dangerous, as it allows an attacker to pivot from database access to full system control.
The configuration combination that enables exploitation is explicitly documented by Apache as unsafe, yet real-world deployments may still use this configuration for performance reasons or misconfiguration.
Root Cause
The root cause lies in the interaction between Cassandra's UDF execution environment and the Java Security Manager when thread isolation is disabled. When enable_user_defined_functions_threads is set to false, UDFs execute in the same thread context as the Cassandra daemon, allowing malicious code to escape the intended sandbox restrictions. This improper permission assignment enables attackers to leverage Java reflection and other techniques to break out of the restricted execution environment.
Attack Vector
The attack is executed over the network against an exposed Cassandra cluster. An attacker must first authenticate to the cluster and have sufficient permissions to create user-defined functions. Once these prerequisites are met, the attacker can craft a malicious UDF that exploits the sandbox escape vulnerability.
The exploitation technique involves creating a scripted UDF (typically using JavaScript or another supported scripting language) that leverages the weakened security context to access Java classes and methods normally restricted by the sandbox. When the UDF is executed, the attacker gains the ability to run arbitrary commands on the host system with the privileges of the Cassandra process.
Detailed technical analysis of the exploitation technique is available in the JFrog Blog on CVE-2021-44521.
Detection Methods for CVE-2021-44521
Indicators of Compromise
- Unexpected or suspicious user-defined functions created in Cassandra keyspaces
- Unusual process spawning from the Cassandra daemon process
- Network connections initiated from the Cassandra server to unexpected destinations
- Modifications to system files or configurations from the Cassandra user context
Detection Strategies
- Audit Cassandra configuration files for the vulnerable configuration combination (enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, enable_user_defined_functions_threads: false)
- Monitor CQL queries for CREATE FUNCTION statements from unauthorized users or containing suspicious code patterns
- Implement host-based intrusion detection to identify unusual behavior from the Cassandra process
- Review Cassandra system tables for recently created or modified UDFs
Monitoring Recommendations
- Enable detailed audit logging for all DDL operations in Cassandra clusters
- Configure alerting on new UDF creation events
- Monitor system calls made by the Cassandra process using tools like auditd or eBPF
- Implement network segmentation monitoring to detect lateral movement attempts from Cassandra hosts
How to Mitigate CVE-2021-44521
Immediate Actions Required
- Review and modify Cassandra configuration to disable the vulnerable feature combination
- Set enable_user_defined_functions_threads: true if UDFs are required
- Audit existing user-defined functions for potentially malicious code
- Restrict permissions for creating UDFs to only trusted administrators
Patch Information
Apache has addressed this vulnerability in updated versions of Cassandra. Administrators should upgrade to the latest patched version available for their deployment. Refer to the Apache Thread on Security for official guidance on affected versions and patches. Additional vendor-specific guidance is available in the NetApp Security Advisory NTAP-20220225-0001.
Workarounds
- Disable scripted user-defined functions entirely by setting enable_scripted_user_defined_functions: false
- If UDFs are required, ensure enable_user_defined_functions_threads: true to maintain thread isolation
- Implement strict access controls limiting who can create UDFs in the cluster
- Deploy network segmentation to limit exposure of Cassandra CQL ports
# Secure Cassandra configuration example (cassandra.yaml)
# Disable scripted UDFs entirely (most secure)
enable_user_defined_functions: false
enable_scripted_user_defined_functions: false
# OR if UDFs are required, ensure thread isolation is enabled
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
