2022-02 - CVE-2021-44521 (Cassandra “user defined functions”)¶
Last updated: 2022-02-21
Cassandra in versions before 3.0.26, 3.11.12 and 4.0.2 in non-standard configurations are potentially vulnerable against remote code execution (CVE-2021-44521).
If an attacker is able to create “user defined functions” within Cassandra, they can gain Remote Code Execution (RCE)/Sandbox Escape and compromise the system executing the user defined function.
Cassandra deployments are only vulnerable to CVE-2021-44521 when the
cassandra.yaml configuration file contains the following definitions:
enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false
Are Wire installations affected?¶
Wire/wire-server is not affected by CVE-2021-44521. Neither Wire-server on the cloud (on wire.com) nor on-premise installations are affected.
The Wire backend does not provide access to or uses “user defined functions” in Cassandra. Also the provided Cassandra configurations do not use the vulnerable configuration.