Researchers on Tuesday disclosed a remote code execution (RCE) vulnerability for Apache Cassandra, which they say is easy for attackers to exploit and could potentially wreak havoc on systems.
In a blog post, JFrog researchers explained that Cassandra is a highly scalable, distributed NoSQL database that’s very popular because of its distributed nature. Companies ranging from Netflix, Twitter, Urban Airship, Constant Contact, Reddit, Cisco, and many others use Cassandra.
JFrog’s research team also pointed out that Cassandra has become popular in DevOps and cloud-native development circles, and has been supported by important Cloud Native Computing Foundation projects.
The Cassandra database gets used by companies of all sizes, said Casey Bisson, head of product and developer relations at BluBracket. Bisson said it’s reportedly used as critical infrastructure supporting multiple top-tier internet giants, so an RCE vulnerability could have a broad impact with very serious consequences.
“Threat actors may be able to read or manipulate sensitive data in vulnerable configurations,” Bisson said. “Fortunately, default configurations are not vulnerable, and the configuration variable suggests the risk. However, if a threat actor can gain write access to the configuration, they could enable the vulnerability without the operators being aware."
John Bambenek, principal threat hunter at Netenrich, added that while not as serious as Log4j, the vulnerability does have the appearance of something that’s mobile and potentially widespread.
“Even though it requires non-default user configuration settings, I suspect that the settings are common in many applications around the world,” Bambenek said. “Unfortunately, there’s no way to know exactly how many installations are vulnerable and it's likely the kind of vulnerability that automated vulnerability scanners will miss. Enterprises will have to go into the configuration files of every Cassandra instance to determine the risk.”
JFrog’s research team said those looking to patch the RCE vulnerability — CVE-2021-44521 — should do the following:
- 3.0x users should upgrade to 3.0.26.
- 3.11x users should upgrade to 3.11.12.
- 4.0x users should upgrade to 4.0.2.