2022-02 - CVE-2021-44521 (Cassandra “user defined functions”)

Last updated: 2022-02-21

This page concerns on-premise (i.e. self-hosted) installations of wire-server as documented in docs.wire.com and its possible vulnerability to CVE-2021-44521.

Introduction

Cassandra in versions before 3.0.26, 3.11.12 and 4.0.2 in non-standard configurations are potentially vulnerable against remote code execution (CVE-2021-44521).

If an attacker is able to create “user defined functions” within Cassandra, they can gain Remote Code Execution (RCE)/Sandbox Escape and compromise the system executing the user defined function.

Cassandra deployments are only vulnerable to CVE-2021-44521 when the cassandra.yaml configuration file contains the following definitions:

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false

Are Wire installations affected?

Wire/wire-server is not affected by CVE-2021-44521. Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.

The Wire backend does not provide access to or uses “user defined functions” in Cassandra. Also the provided Cassandra configurations do not use the vulnerable configuration.

Further information

  • Wire-server makes use of Cassandra. Since the start of Wire’s on-premise product, we have used Cassandra versions > 3 (currently 3.11.x).

  • Additional details can be found in the Security Advisory of JFrog, who detected and reported the vulnerability.