[
https://issues.apache.org/jira/browse/CASSANDRA-21230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
C. Scott Andreas updated CASSANDRA-21230:
-----------------------------------------
Resolution: Not A Bug
Status: Resolved (was: Triage Needed)
> Authenticated DoS via `CREATE FUNCTION` Java Compilation
> --------------------------------------------------------
>
> Key: CASSANDRA-21230
> URL: https://issues.apache.org/jira/browse/CASSANDRA-21230
> Project: Apache Cassandra
> Issue Type: Bug
> Components: CQL/Semantics, Feature/Rate Limiting, Feature/UDF
> Reporter: Cyl
> Priority: Normal
> Labels: dos, performance, security
>
> h2. Vulnerability Description
> *Name*: Authenticated DoS via {{CREATE FUNCTION}} Java Compilation
> *Overview*:
> The {{CREATE FUNCTION}} statement allows users to define User Defined
> Functions (UDFs). When a UDF is defined using the Java language, the
> Cassandra server compiles the provided Java source code into bytecode using
> the Eclipse Compiler for Java (ECJ).
> This compilation process occurs synchronously on the request executor thread
> ({{Dispatcher.requestExecutor}}) during the validation phase of the {{CREATE
> FUNCTION}} statement execution (specifically in the {{apply}} method of
> {{CreateFunctionStatement}}, which performs a local "dry-run" of the schema
> transformation).
> An attacker with {{CREATE FUNCTION}} permissions can send multiple concurrent
> {{CREATE FUNCTION}} requests with complex Java code (e.g., thousands of lines
> of code). This triggers multiple concurrent compilation tasks on the request
> executor threads, exhausting the thread pool and causing high CPU usage,
> leading to a denial of service for other clients.
> *Affected Configurations*:
> * Clusters with {{user_defined_functions_enabled: true}} (default is false).
> * Users with {{CREATE}} permission on functions.
> *Impact*:
> * Denial of service due to request executor thread pool exhaustion.
> * High CPU usage on the coordinator node.
> * Inability to process other CQL requests.
> * Client timeouts ({{OperationTimedOut}}) for legitimate queries.
> h2. Proof-of-Concept
> The attack involves sending many concurrent {{CREATE FUNCTION}} requests.
> Each request defines a function with a large body that requires significant
> compilation effort.
> *Steps*:
> # Enable UDFs in {{cassandra.yaml}} ({{user_defined_functions_enabled:
> true}}).
> # Start Cassandra.
> # Create a user with {{CREATE FUNCTION}} permissions (or use superuser).
> # Launch multiple threads (e.g., 200), each sending {{CREATE FUNCTION}}
> statements with unique function names and a large Java body (e.g., 5000 lines
> of arithmetic operations).
> # Monitor the latency of a simple {{SELECT now()}} query.
> *Observed Results*:
> * Victim query latency increases significantly (e.g., from 2ms to >1s).
> * Attack threads receive {{OperationTimedOut}} errors, indicating the server
> is overloaded.
> h2. Problematic Code Reference
> In
> {{src/java/org/apache/cassandra/cql3/statements/schema/AlterSchemaStatement.java}}:
> {code:java}
> public ResultMessage execute(QueryState state)
> {
> // ...
> // Perform a 'dry-run' attempt to apply the transformation locally
> ClusterMetadata metadata = ClusterMetadata.current();
> apply(metadata); // Calls CreateFunctionStatement.apply()
> // ...
> }
> {code}
> In
> {{src/java/org/apache/cassandra/cql3/statements/schema/CreateFunctionStatement.java}}:
> {code:java}
> public Keyspaces apply(ClusterMetadata metadata)
> {
> // ...
> UDFunction function =
> UDFunction.create(new FunctionName(keyspaceName, functionName),
> // ...
> language,
> body);
> // ...
> }
> {code}
> In {{src/java/org/apache/cassandra/cql3/functions/UDFunction.java}}:
> {code:java}
> public static UDFunction create(...)
> {
> // ...
> return new JavaBasedUDFunction(name, ...);
> }
> {code}
> In {{src/java/org/apache/cassandra/cql3/functions/JavaBasedUDFunction.java}}:
> {code:java}
> JavaBasedUDFunction(...)
> {
> // ...
> // Synchronous compilation on the calling thread
> compiler.compile(new ICompilationUnit[]{ compilationUnit });
> // ...
> }
> {code}
> h2. Recommended Fixes
> # *Offload Compilation*: Perform the UDF compilation on a separate thread
> pool (e.g., a dedicated {{udfExecutor}} or {{internalExecutor}}) instead of
> the main request executor.
> # *Rate Limiting*: Implement rate limiting for {{CREATE FUNCTION}} statements
> to prevent abuse.
> # *Limit Code Size/Complexity*: Enforce stricter limits on the size or
> complexity of the UDF source code.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
