Wiz
Vulnerability DatabaseCVE-2021-44521

CVE-2021-44521
Apache Cassandra vulnerability analysis and mitigation

Overview

CVE-2021-44521 is a high-severity remote code execution vulnerability in Apache Cassandra, discovered by Omer Kaspi of the JFrog Security vulnerability research team. The vulnerability affects Apache Cassandra versions 3.0.x before 3.0.26, 3.11.x before 3.11.12, and 4.0.x before 4.0.2. The issue exists when specific non-default configuration options are enabled, allowing attackers with sufficient permissions to execute arbitrary code on the host system (JFrog Blog, SecurityWeek).

Technical details

The vulnerability occurs when Cassandra is configured with three specific settings in the cassandra.yaml file: enableuserdefinedfunctions: true, enablescripteduserdefinedfunctions: true, and enableuserdefinedfunctions_threads: false. The issue stems from the implementation of user-defined functions (UDFs) using the Nashorn JavaScript engine, which is not guaranteed to be secure when accepting untrusted code. When UDF threads are disabled, the functions run in the Cassandra daemon thread with elevated permissions, allowing attackers to disable the security manager and escape the sandbox. The vulnerability has received a CVSS v3.1 base score of 9.1 (CRITICAL) (NVD, JFrog Blog).

Impact

Successful exploitation of this vulnerability could lead to complete system compromise, allowing attackers to execute arbitrary code on the host system. The impact is particularly severe for organizations using Cassandra in their infrastructure, including major companies like Netflix, Twitter, Reddit, and Cisco (SecurityWeek, Hacker News).

Mitigation and workarounds

Apache has released patched versions to address this vulnerability: users should upgrade to version 3.0.26 (for 3.0.x users), 3.11.12 (for 3.11.x users), or 4.0.2 (for 4.0.x users). The fix adds a new flag 'allowextrainsecureudfs' (false by default) which prevents turning off the security manager. Alternative mitigations include setting enableuserdefinedfunctionsthreads to true (the default setting) or completely disabling UDFs by setting enableuserdefinedfunctions to false (JFrog Blog, OSS Security).

Additional resources

SourceThis report was generated using AI

Related Apache Cassandra vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-26467HIGH8.8
  • Apache CassandraApache Cassandra
  • org.apache.cassandra:cassandra-all
NoYesAug 25, 2025
CVE-2025-23015HIGH8.8
  • Apache CassandraApache Cassandra
  • cassandra-4.0
NoYesFeb 04, 2025
CVE-2023-43642HIGH7.5
  • Apache CassandraApache Cassandra
  • log4j:2::log4j-jcl
NoYesSep 25, 2023
CVE-2025-24860MEDIUM5.4
  • Apache CassandraApache Cassandra
  • cpe:2.3:a:apache:cassandra
NoYesFeb 04, 2025
CVE-2024-27137MEDIUM5.3
  • Apache CassandraApache Cassandra
  • cassandra
NoYesFeb 04, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo