# 2022-02 - CVE-2021-44521 (Cassandra "user defined functions")

Last updated: 2022-02-21


This page concerns **on-premise** (i.e. self-hosted) installations of [wire-server](https://github.com/wireapp/wire-server) as documented in [docs.wire.com](https://docs.wire.com) and its possible vulnerability to [CVE-2021-44521](https://www.cve.org/CVERecord?id=CVE-2021-44521).

## Introduction

Cassandra in versions before 3.0.26, 3.11.12 and 4.0.2 in non-standard configurations are potentially vulnerable against remote code execution ([CVE-2021-44521](https://www.cve.org/CVERecord?id=CVE-2021-44521)).

If an attacker is able to create "user defined functions" within Cassandra, they can gain Remote Code Execution (RCE)/Sandbox Escape and compromise the system executing the user defined function.


Cassandra deployments are only vulnerable to CVE-2021-44521 when the `cassandra.yaml` configuration file contains the following definitions:
```yaml
enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false
```

## Are Wire installations affected?

**Wire/wire-server is not affected by CVE-2021-44521**. Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.


The Wire backend does not provide access to or uses "user defined functions" in Cassandra.
Also the provided Cassandra configurations do not use the vulnerable configuration.

## Further information

* Wire-server makes use of Cassandra. Since the start of Wire’s on-premise product, we have used Cassandra versions > 3 (currently 3.11.x).
* Additional details can be found in the [Security Advisory of JFrog](https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/), who detected and reported the vulnerability.