A new remote code execution vulnerability in Apache Cassandra has the potential to “wreak havoc” on systems used by large companies.

Cassandra is a free, open-source, distributed NoSQL database management system that handles large amounts of data across commodity servers. Originally created by Facebook Inc., now Meta Platforms Inc., Cassandra provides extremely high availability with no single point of failure, making it useful for applications that track and monitor user activity, social media analytics and messaging applications.

Cassandra is used by enterprises such as Netflix Inc., Twitter Inc., Airship Group Inc., Constant Contact Inc., Reddit Inc., Cisco Systems Inc., OpenX, Digg Inc. and CloudKick. It’s also a popular service in DevOps and cloud-native development.

Discovered by security researchers at JFrog Inc. and revealed Tuesday, the vulnerability, officially named CVE-2021-44521, has a Common Vulnerability Scoring System score of 8.4 out of 10, which is considered high. The vulnerability is related to a failure to sanitize user-defined function inputs properly.

The issue is specifically with the Nashorn engine within Cassandra’s Runtime Environment, a JavaScript engine that runs on top of the Java Virtual Machine. Nashorn is not guaranteed to be secure when accepting untrusted code, the researchers note.

As a result, any service that allows such behavior must wrap the Nashorn execution in a sandbox. However, the researchers found that nondefault configuration options could allow an attacker to abuse the Nashorn engine and gain access to a targeted system. While noting that the security vulnerability is easy to exploit, the researchers add that it only manifests in non-default configurations.

Those running Apache Cassandra are urged to update their installations to the latest release, which addresses the vulnerability.

“Cassandra is a broadly used database for companies of all sizes,” Casey Bisson, head of product and developer relations at code security solutions provider BluBracket Inc., told SiliconANGLE. “It’s reported to be used as critical infrastructure supporting multiple top-tier internet giants, so a remote code execution vulnerability could have a broad impact with very serious consequences. Threat actors may be able to read or manipulate sensitive data in vulnerable configurations.”

John Bambenek, Principal Threat Hunter at information technology and security operations company Netenrich Inc., noted that though it’s not as serious as Log4j, it does look like it’s potentially widespread.

“Even though it requires nondefault user configuration settings, I suspect that the settings are common in many applications around the world,” Bambenek explained. “Unfortunately, there is no way to know exactly how many installations are vulnerable and this is likely the kind of vulnerability that will be missed by automated vulnerability scanners. Enterprises will have to go into the configuration files of every Cassandra instance to determine what their risk is.”

Image: Apache Cassandra