2022-02 - CVE-2021-44521 (Cassandra “user defined functions”)
Last updated: 2022-02-21
Cassandra in versions before 3.0.26, 3.11.12 and 4.0.2 in non-standard configurations are potentially vulnerable against remote code execution (CVE-2021-44521).
If an attacker is able to create “user defined functions” within Cassandra, they can gain Remote Code Execution (RCE)/Sandbox Escape and compromise the system executing the user defined function.
Cassandra deployments are only vulnerable to CVE-2021-44521 when the
cassandra.yaml configuration file contains the following definitions:
enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false
Are Wire installations affected?
Wire/wire-server is not affected by CVE-2021-44521. Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.
The Wire backend does not provide access to or uses “user defined functions” in Cassandra. Also the provided Cassandra configurations do not use the vulnerable configuration.
Wire-server makes use of Cassandra. Since the start of Wire’s on-premise product, we have used Cassandra versions > 3 (currently 3.11.x).
Additional details can be found in the Security Advisory of JFrog, who detected and reported the vulnerability.