Apache Cassandra Changelog

Our monthly roundup of key activities and knowledge to keep the community informed.

Release Notes

Released

The latest release of Apache Cassandra is 4.0.3 (pgp, sha256, and sha512), which has been available since 17 February 2022. We released new versions of all supported versions of Cassandra (3.11.12, 3.0.26) to address a vulnerability CVE-2021-44521.

Essentially, if you’re running Cassandra in the following non-default configuration, below, it’s possible for an attacker to execute arbitrary code on the host:

enable_user_defined_functions: true
enable_scripted_user_defined_functions: true
enable_user_defined_functions_threads: false

The attacker also needs permission to create user-defined functions as well as this configuration arrangement.

We suggest 3.0 users should upgrade to 3.0.26; 3.11 users should upgrade to 3.11.12; and 4.0 users should upgrade to 4.0.3.

Thanks to Omer Kaspi of the JFrog Security vulnerability research team for the discovery.

Please read the release notes and let us know if you encounter any problems.

Note: As the docs are not yet updated, the bintray location for Debian users is replaced with the ASF’s JFrog Artifactory location.

See the download section for the latest stable and older supported versions of source and binary distributions.

To stay up-to-date, we recommend joining the Cassandra mailing lists.

Community Notes

Updates on Cassandra Enhancement Proposals (CEPs), how to contribute, and other community activities.

Are you new to the project? We have a handy ‘Contributing to Cassandra’ page for how to get involved and get started. Additionally, we have established two boards you should take a look at if you are new to the project. One is a kanban board for “Failing Tests” tickets that are unassigned and the other corresponds to our Low Hanging Fruit or “Starter Tickets” for 4.0.x and 4.1.x. Feel free to self-select a ticket to work on.

Any of these tickets should be of appropriate complexity for someone new to the project to tackle. Just remember to assign yourself to the ticket and acknowledge the status, such as ‘Work in Progress’ and ‘Needs Comitter/Patch Available’ when you submit your patch. You can also reach out on the ASF Slack in the #cassandra-dev Slack channel. Use @cassandra_mentors to contact our Cassandra mentors!

Read PMC member Josh McKenzie’s latest bi-weekly update for ongoing discussions and the latest on ticket progress.

Discussed

The vulnerability, detailed above, generated a discussion on the Apache Cassandra’s hotfix release procedure. The current status of the discussion indicates that future hotfixes will likely be based on a branch off the previously released tag so the difference (diff) on any hotfix only includes the changes for that hotfix and nothing else. It is likely this will involve a lazy-consensus wiki update. Details will be confirmed soon.

Added

The PMC is pleased to announce that Anthony Grasso, Lorina Poland, and Erick Ramirez have accepted the invitation to become committers! This is a big milestone for the project as we branch out from only having core database code contributors as committers and start recognizing and elevating other parts of our ecosystem. Congrats to you all! 👏

Passed

The discussion on Storage Attached Index (SAI) was closed, moved to a vote and passed!. SAI is designed to replace the original secondary indexing. This will enable users to index multiple columns on the same table without suffering scaling problems, especially at write time.

The Cassandra SAI channel on Slack
Interested in following the SAI feature development or contributing? Join the dedicated Slack channel #cassandra-sai.

Passed

The discussion for CEP-19 Trie Memtable Implementation has moved to a vote. Memtables can become a pain point for memory management and garbage collection, Branimir Lambov is proposing an alternative memtable implementation based on tries. This feature builds on the CEP-11: Pluggable memtable implementations

Discussed

Chris Thornett opened up a topic on the Apache Cassandra content process on the wiki for discussion. Please take a look and chime in if you have some experience or interest in this area. Here’s a link to the post on the Confluence wiki.

Discussed

The project has been actively working on fuzz testing Apache Cassandra for the past several years and in February, Alex Petrov and other contributors merged in support for property based fuzz testing. This approach has already surfaced a number of bugs in complex systems with subtle temporal relationships, and there is an ongoing discussion about rewriting some of our existing old tests to use this new framework. This rewrite would be a great benefit to the project in the long run albeit a significant project.

Petrov also cut a 0.0.1 release of Harry, a fuzz testing tool for Apache Cassandra.

If you’d like to learn more about Harry, you can read Petrov’s recent overview blog. You can also reach out to Alex Petrov on the #cassandra-dev Slack channel if you have any questions or need assistance writing your tests, or want to help to extend Harry.

Discussed

Caleb Rackliffe has been continuing the discussion on moving cassandra.yaml toward a more nested structure, and how to restructure our config .yaml in a manner that’s easier to comprehend, and maintainable for operators. This has major ramifications for anyone administering many large Cassandra clusters, so if you’re one of those people please take a few minutes to ramp up on the topic and get involved in the discussion.

User Space

Kinetic Data

Kinetic Data developed a low-code system, a forms and workflow engine built on top of Apache Cassandra, where, for example, users can define a form with drag and drop fields and store the data in Cassandra.

Once it’s set up and running it’s hands off. Quite frankly, it’s easy from an operations perspective […​] so our customers, they’re using Cassandra, but they don’t really realize it […​]. But they do say, ‘it’s always up. It’s always fast.’ It’s all these benefits that you really want the end-user to know about.
— John Sundberg
CEO of Kinetic Data

Do you have a Cassandra case study to share? Email cassandra@constantia.io.

In the News

The New Stack: JFrog Finds RCE Issue in Apache Cassandra

Cassandra Tutorials & More

Apache Cassandra and Java SE 11 - Chris Thornett

Behind the Scenes of an Apache Cassandra Release - Josh McKenzie

Fast General Purpose Transactions in Apache Cassandra - Benedict Elliott Smith

Leveraging Virtual Tables in Apache Cassandra 4.0 - Aaron Ploetz