Cyl created CASSANDRA-21227:
-------------------------------
Summary: Lack of heap quotas and compilation boundaries in Java
UDFs leads to severe Daemon stability risks
Key: CASSANDRA-21227
URL: https://issues.apache.org/jira/browse/CASSANDRA-21227
Project: Apache Cassandra
Issue Type: Bug
Reporter: Cyl
Hi team,
While user_defined_functions_enabled is disabled by default for security
reasons, enabling it introduces severe stability risks that are currently
unguarded, even for authorized users with CREATE FUNCTION permissions:
1. Compilation Thread Pool Exhaustion: Synchronous compilation of large Java
internal bodies via ECJ runs squarely on Dispatcher.requestExecutor. Submitting
multiple complex UDF creations concurrently stalls the node's standard query
capabilities (CPU exhaustion).
2. Heap Memory Exhaustion (OOM): While execution time is guarded (default
500ms), heap usage is not. A UDF that allocates massive arrays (e.g.,
multi-gigabyte byte[]) can easily force the Cassandra JVM to OOM and crash the
Daemon entirely in just a few seconds, long before the execution timeout is
triggered.
Suggestions for improvement:
- Introduce a per-invocation UDF heap allocation tracker or quota.
- Rate-limit CREATE FUNCTION validations and strictly offload compilation
payloads away from the requestExecutor pool (so malicious multi-thousand line
submissions won't lock user traffic).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
