Serious vulnerability found in Apache Cassandra NoSQL database

Administrators who oversee installations of the Apache Cassandra distributed NoSQL database are urged to upgrade to the latest version after the discovery of a remote code execution vulnerability.

The problem —  CVE-2021-44521– was discovered by researchers at JFrog, who described it in a blog this week.

“This Apache security vulnerability is easy to exploit and has the potential to wreak havoc on systems,” they wrote, “but luckily only manifests in non-default configurations of Cassandra.”

According to JFrog, Cassandra is extremely popular because it runs on a distributed platform. Researchers say it is used by enterprises including Netflix, Twitter, Reddit, Cisco Systems, OpenX and more. Cassandra is also extremely popular in DevOps and cloud-native development circles, JFrog says, and is even offered by providers as a cloud-based database-as-a-service.

The vulnerability is in the Nashorn engine within Cassandra’s Java Runtime Environment (JRE) which is a JavaScript engine that runs on top of the Java Virtual Machine (JVM). Nashorn is not guaranteed to be secure when accepting untrusted code, says JFrog. Therefore, any service that allows such behavior must always wrap the Nashorn execution in a sandbox. Cassandra’s development team created a custom sandbox to solve this. However, JFrog researchers found that a mix of specific (non-default) configuration options could allow them to abuse the Nashorn engine, escape the sandbox and achieve remote code execution.

Cassandra admins running version 3.0.x should upgrade to 3.0.26; those running 3.11.x should upgrade to 3.11.12; and those on version 4.0.x should upgrade to 4.0.2.

“Every week there’s another critical RCE vulnerability with the potential to wreak havoc that enterprise security teams rush to patch before moving on to the next one,” commented Greg Fitzgerald, co-founder of Sevco Security. “The most significant risk for enterprises isn’t the speed at which they are applying critical patches; it comes from not applying the patches on every asset. The simple fact is that most organizations fail to maintain an up-to-date and accurate IT asset inventory, and the most fastidious approach to patch management cannot ensure that all enterprise assets – including those that are abandoned or forgotten about – are accounted for. It’s impossible to defend your network when you can’t see the entire attack surface. That’s why the ability to develop a comprehensive, real-time inventory of IT assets is a foundational element of any successful security program.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now