• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
high severity rce security bug reported in apache cassandra database software

High-Severity RCE Security Bug Reported in Apache Cassandra Database Software

You are here: Home / General Cyber Security News / High-Severity RCE Security Bug Reported in Apache Cassandra Database Software
February 16, 2022

Researchers have uncovered details of a now-patched substantial-severity security vulnerability in Apache Cassandra that, if still left unaddressed, could be abused to attain remote code execution on impacted installations.

“This Apache security vulnerability is effortless to exploit and has the likely to wreak havoc on systems, but the good news is only manifests in non-default configurations of Cassandra,” Omer Kaspi, security researcher at DevOps firm JFrog, mentioned in a complex compose-up released Tuesday.

Apache Cassandra is an open up-supply, dispersed, NoSQL databases management process for taking care of extremely substantial amounts of structured knowledge throughout commodity servers.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Automatic GitHub Backups

Tracked as CVE-2021-44521 (CVSS score: 8.4), the vulnerability problems a unique situation where the configuration for consumer-defined capabilities (UDFs) are enabled, successfully allowing an attacker to leverage the Nashorn JavaScript engine, escape the sandbox, and obtain execution of untrusted code.

Apache Cassandra Database Software

Specially, it was found that Cassandra deployments are vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file incorporates the adhering to definitions:

  • permit_consumer_outlined_capabilities: accurate
  • permit_scripted_person_outlined_capabilities: accurate
  • empower_person_defined_functions_threads: false

“When the [enable_user_defined_functions_threads] solution is set to fake, all invoked UDF functions run in the Cassandra daemon thread, which has a security supervisor with some permissions,” Kaspi said, thus allowing the adversary to disable the security supervisor and break out of the sandbox and operate arbitrary shell instructions on the server.

Prevent Data Breaches

Apache Cassandra consumers are inspired to enhance to versions 3..26, 3.11.12, and 4..2 to keep away from achievable exploitation, which addresses the flaw by including a new flag “permit_extra_insecure_udfs” that is established to false by default and stops turning off the security manager.

Located this short article exciting? Abide by THN on Facebook, Twitter  and LinkedIn to browse a lot more exclusive material we write-up.


Some pieces of this article are sourced from:
thehackernews.com

Previous Post: «facebook agrees to pay $90 million to settle decade old privacy Facebook Agrees to Pay $90 Million to Settle Decade-Old Privacy Violation Case
Next Post: EU Data Protection Watchdog Calls for Ban on Pegasus-like Commercial Spyware eu data protection watchdog calls for ban on pegasus like commercial»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • Enzo Biochem Hit by Ransomware, 2.5 Million Patients’ Data Compromised
  • US and Korean Agencies Issue Warning on North Korean Cyber-Attacks
  • Malicious PyPI Packages Use Compiled Python Code to Bypass Detection
  • New Botnet Malware ‘Horabot’ Targets Spanish-Speaking Users in Latin America
  • The Importance of Managing Your Data Security Posture
  • Camaro Dragon Strikes with New TinyNote Backdoor for Intelligence Gathering
  • Insurers Predict $33bn Bill for Catastrophic “Cyber Event”
  • Chinese Phishing Gang “PostalFurious” Expands Campaign
  • Kaspersky Says it is Being Targeted By Zero-Click Exploits
  • North Korea’s Kimsuky Group Mimics Key Figures in Targeted Cyber Attacks

Copyright © TheCyberSecurity.News, All Rights Reserved.