According to researchers, a high-severity security bug in Apache Cassandra was discovered that has been listed as CVE-2021-445. The bug exists in how the database creates user defined functions for custom processing of data. It is easy to exploit, if not yet patched, and is rated at 8.4 (high).
Fortunately, Cassandra will not be as commonly deployed as Log4J. But, like any library, it can turn up where you least expect it, so you’ll need to check everywhere: software you build, software you deploy, as well as software embedded in products that you might not otherwise consider (including cloud services). So, the initial step of the response needs to be the same, even though it will yield less things you need to go and fix. Of course, ‘we love to say we told you so’, and if you already had a ready-made inventory of all of the SBOMs, you wouldn’t need to go searching every time and you should get alerts automatically.
The disclosure of CVE-2021-44521 in Apache Cassandra is yet another reminder of the critical importance of managing the software supply chain. In general, open source projects like Cassandra provide high-quality functionality and serve as the building blocks for software applications. However, “open source” does not mean free. Open source components must be tracked and managed as part of a holistic application security process. Development teams must be aware of the licenses of open source components and their known vulnerabilities. When you know which components are in your application, and their risks, you can make informed decisions that keep you and your customers safe.
While it’s interesting to delve into the details of the vulnerability, the more important question for most organizations is this: are we using a vulnerable version of Cassandra in any of our applications? Software Composition Analysis (SCA) tools help with this question by analyzing applications and finding the components that were used in building them. Furthermore, a good SCA tool notifies you as soon as a new vulnerability comes to the surface. If you used Cassandra in any of your applications, then your SCA tool would have already notified you about CVE-2021-44521 and you could already be working on a solution.