9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.046 Low
EPSS
Percentile
92.3%
In Datastax Enterprise with IBM, a remote code execution (RCE) security vulnerability in Apache Cassandra exists and has been assigned to CVE-2021-44521.
CVEID:CVE-2021-44521
**DESCRIPTION:**Apache Cassandra could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw when include configurations for enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: flase. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/219451 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
Datastax Enterprise with IBM | 5.1, 6.0, 6.7, 6.8 |
Affected Product(s) | Version(s) | Remediation/Fix/Instructions |
---|---|---|
Datastax Enterprise with IBM | 5.1, 6.0, 6.7, 6.8 | DataStax Enterprise (DSE) versions 5.1, 6.0, 6.7, and 6.8 are NOT impacted by CVE-2021-44521 in their default configuration. The cassandra.yaml file should match the table below: |
|
|
|
|
|
—|—|—|—|—
|
false
enable_scripted_user_defined_functions
|
false
enable_user_defined_functions_threads
|
true
If cassandra.yaml file settings are different from the above table, please either roll back to default settings or update to the following releases:
Product | Version | Fixed Version |
---|---|---|
Datastax Enterprise with IBM | 5.1.x | 5.1.29 |
Datastax Enterprise with IBM | 6.0.x | 6.0.17 |
Datastax Enterprise with IBM | 6.7.x | 6.7.16 |
Datastax Enterprise with IBM | 6.8.x | 6.8.20 |
IBM strongly recommends addressing the vulnerability now by either upgrading to the latest versions (5.1.29, 6.0.17, 6.7.16, 6.8.20) or rolling back to default settings.
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
0.046 Low
EPSS
Percentile
92.3%