CVE-2021-44521 - OpenCVE

When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:M/Au:S/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Apache	Cassandra

Configuration 1 [-]

OR	cpe:2.3:a:apache:cassandra::::::::
	cpe:2.3:a:apache:cassandra::::::::
	cpe:2.3:a:apache:cassandra::::::::

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2022/02/11/4
https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/
https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356
https://nvd.nist.gov/vuln/detail/CVE-2021-44521
https://security.netapp.com/advisory/ntap-20220225-0001/
https://www.cve.org/CVERecord?id=CVE-2021-44521

History

No history.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2022-02-11T12:20:12

Updated: 2024-08-04T04:25:16.640Z

Reserved: 2021-12-02T00:00:00

Link: CVE-2021-44521

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-02-11T13:15:07.907

Modified: 2022-08-09T00:39:07.850

Link: CVE-2021-44521

Redhat

Severity : Moderate

Publid Date: 2022-02-11T00:00:00Z

Links: CVE-2021-44521 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Apache Cassandra", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "unspecified", "status": "affected", "version": "3.0.0", "versionType": "custom"}, {"lessThan": "3.0.26", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "3.1", "versionType": "custom"}, {"lessThan": "3.11.12", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "4.0.0", "versionType": "custom"}, {"lessThan": "4.0.2", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team."}], "descriptions": [{"lang": "en", "value": "When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE."}], "metrics": [{"other": {"content": {"other": "high"}, "type": "unknown"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-02-25T09:06:17", "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356"}, {"name": "[oss-security] 20220211 CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/4"}, {"tags": ["x_refsource_MISC"], "url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20220225-0001/"}], "source": {"defect": ["CASSANDRA-17352"], "discovery": "UNKNOWN"}, "title": "Remote code execution for scripted UDFs", "workarounds": [{"lang": "en", "value": "Set `enable_user_defined_functions_threads: true` (this is default)\nor\n3.0 users should upgrade to 3.0.26\n3.11 users should upgrade to 3.11.12\n4.0 users should upgrade to 4.0.2"}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@apache.org", "ID": "CVE-2021-44521", "STATE": "PUBLIC", "TITLE": "Remote code execution for scripted UDFs"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Apache Cassandra", "version": {"version_data": [{"version_affected": ">=", "version_value": "3.0.0"}, {"version_affected": "<", "version_value": "3.0.26"}, {"version_affected": ">=", "version_value": "3.1"}, {"version_affected": "<", "version_value": "3.11.12"}, {"version_affected": ">=", "version_value": "4.0.0"}, {"version_affected": "<", "version_value": "4.0.2"}]}}]}, "vendor_name": "Apache Software Foundation"}]}}, "credit": [{"lang": "eng", "value": "This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": [{"other": "high"}], "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}]}, "references": {"reference_data": [{"name": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356", "refsource": "MISC", "url": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356"}, {"name": "[oss-security] 20220211 CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/02/11/4"}, {"name": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/", "refsource": "MISC", "url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/"}, {"name": "https://security.netapp.com/advisory/ntap-20220225-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20220225-0001/"}]}, "source": {"defect": ["CASSANDRA-17352"], "discovery": "UNKNOWN"}, "work_around": [{"lang": "en", "value": "Set `enable_user_defined_functions_threads: true` (this is default)\nor\n3.0 users should upgrade to 3.0.26\n3.11 users should upgrade to 3.11.12\n4.0 users should upgrade to 4.0.2"}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T04:25:16.640Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356"}, {"name": "[oss-security] 20220211 CVE-2021-44521: Apache Cassandra: Remote code execution for scripted UDFs", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/4"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20220225-0001/"}]}]}, "cveMetadata": {"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "assignerShortName": "apache", "cveId": "CVE-2021-44521", "datePublished": "2022-02-11T12:20:12", "dateReserved": "2021-12-02T00:00:00", "dateUpdated": "2024-08-04T04:25:16.640Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*", "matchCriteriaId": "8DC06A32-4458-44A4-B6DD-EA9BFD362D09", "versionEndExcluding": "3.0.26", "versionStartIncluding": "3.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF6C2BFF-2F8A-40B8-85E5-3C6C658C3A97", "versionEndExcluding": "3.11.12", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*", "matchCriteriaId": "B1FBC157-F7A5-43F5-B416-354C3B28F78A", "versionEndExcluding": "4.0.2", "versionStartIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE."}, {"lang": "es", "value": "Cuando es ejecutado Apache Cassandra con la siguiente configuraci\u00f3n: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false es posible que un atacante ejecute c\u00f3digo arbitrario en el host. El atacante necesitar\u00eda tener suficientes permisos para crear funciones definidas por el usuario en el cluster para poder explotar esto. Tenga en cuenta que esta configuraci\u00f3n est\u00e1 documentada como no segura, y seguir\u00e1 siendo considerada no segura despu\u00e9s de esta CVE"}], "id": "CVE-2021-44521", "lastModified": "2022-08-09T00:39:07.850", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 8.5, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-02-11T13:15:07.907", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/02/11/4"}, {"source": "security@apache.org", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/"}, {"source": "security@apache.org", "tags": ["Issue Tracking", "Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356"}, {"source": "security@apache.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20220225-0001/"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-94"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "cassandra: RCE for scripted UDFs", "id": "2053774", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2053774"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.", "A flaw was found in Cassandra that allows users with certain permissions to execute user-defined functions to create scripts and run remote code execution. This flaw allows an attacker to gain unwanted access and also execute actions against Cassandra."], "name": "CVE-2021-44521", "package_state": [{"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:a_mq_clients:2", "fix_state": "Not affected", "package_name": "org.apache.logging.log4j-log4j", "product_name": "A-MQ Clients 2"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-agent-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-all-in-one-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-collector-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-es-index-cleaner-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-es-rollover-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-ingester-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:jaeger:1.17::el7", "fix_state": "Not affected", "package_name": "distributed-tracing/jaeger-query-rhel8", "product_name": "Distributed Tracing Jaeger 1"}, {"cpe": "cpe:/a:redhat:quarkus:2", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat Integration Camel K"}, {"cpe": "cpe:/a:redhat:camel_quarkus:2", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat Integration Camel Quarkus"}, {"cpe": "cpe:/a:redhat:integration:1", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat Integration Data Virtualisation Operator"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Out of support scope", "package_name": "cassandra", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_data_virtualization:6", "fix_state": "Out of support scope", "package_name": "cassandra", "product_name": "Red Hat JBoss Data Virtualization 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "cassandra", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "jboss-on", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:jboss_fuse:6", "fix_state": "Out of support scope", "package_name": "cassandra", "product_name": "Red Hat JBoss Fuse 6"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "impact": "low", "package_name": "cassandra", "product_name": "Red Hat JBoss Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse_service_works:6", "fix_state": "Out of support scope", "package_name": "cassandra", "product_name": "Red Hat JBoss Fuse Service Works 6"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "cassandra", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:jboss_operations_network:3", "fix_state": "Out of support scope", "package_name": "org.jboss.on-jboss-on-parent", "product_name": "Red Hat JBoss Operations Network 3"}, {"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "Red Hat OpenShift Application Runtimes"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-cassandra", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/metrics-schema-installer", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-cassandra", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-hawkular-metrics", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "openshift3/ose-metrics-schema-installer", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "ocs4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_container_storage:4", "fix_state": "Out of support scope", "package_name": "odf-multicluster-operator-container", "product_name": "Red Hat Openshift Container Storage 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-must-gather-rhel8", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/ocs-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/odf-multicluster-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf4/rook-ceph-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_data_foundation:4", "fix_state": "Affected", "package_name": "odf/odf-multicluster-rhel8-operator", "product_name": "Red Hat Openshift Data Foundation 4"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-agent-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-all-in-one-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-collector-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-index-cleaner-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-es-rollover-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-ingester-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openshift_distributed_tracing:2", "fix_state": "Not affected", "package_name": "rhosdt/jaeger-query-rhel8", "product_name": "Red Hat OpenShift distributed tracing 2"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "opendaylight", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "package_name": "puppet-cassandra", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "puppet-cassandra", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "puppet-cassandra", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "puppet-cassandra", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:amq_streams:1", "fix_state": "Not affected", "package_name": "cassandra", "product_name": "streams for Apache Kafka"}], "public_date": "2022-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-44521\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-44521"], "statement": "While the CVSS is quite high this flaw has been downgraded to moderate impact for three main reasons:\n* Administrator privileges are required.\n* The configuration required to enable this flaw is non-default.\n* Cassandra documentation describes this configuration to be unsafe. This configuration should continue to be considered unsafe even after applying the fix for this CVE.", "threat_severity": "Moderate", "upstream_fix": "cassandra 3.0.26, cassandra 3.11.12, cassandra 4.0.2"}