The bug is described as easy to exploit remotely although it seems to only be vulnerable in custom, non-default, configurations. In these custom configurations Cassandra is set up to handle user defined functions. If a specific option is not properly configured for these functions it allows an attacker to abuse the internal JavaScript engine and execute unauthorized code on the target system. The configuration item, located in the cassandra.yaml file is the “enable_user_defined_functions_threads” If this is set to False while other options for user defined functions are set to true (including allowing scripted functions) then the configuration is vulnerable to exploit and compromise.

As previously mentioned, Apache already has a patched version available (3.0.26, 3.11.12, and 4.0.2) which remediated the vulnerability even if these other options are enabled. The “fix” is the addition of a new setting in the yaml file, “allow_extra_insecure_udfs” that is disabled (set to false) by default. This should block the execution of unauthorized user defined function but does seem to be more of a bandage than a real fix.

Still, something is better than nothing when it comes to RCE flaws. It you are running a non-patched version of Cassandra and have UDFs enabled then it is highly recommended that you patch as soon as possible to avoid compromise. The CVE this is tracked under is CVE-2021-44521.

Happy patching