CVE-2021-25646: Authenticated users can override system configurations in their requests which allows them to execute arbitrary code.
18 views
Skip to first unread message
Jihoon Son
Jan 29, 2021, 1:00:03 PM1/29/21
to anno...@apache.org, Druid User
Description:
Apache Druid includes the ability to execute user-provided JavaScript
code embedded in various types of requests. This functionality is
intended for use in high-trust environments, and is disabled by
default. However, in Druid 0.20.0 and earlier, it is possible for an
authenticated user to send a specially-crafted request that forces
Druid to run user-provided JavaScript code for that request,
regardless of server configuration. This can be leveraged to execute
code on the target machine with the privileges of the Druid server
process.
Mitigation:
Users should upgrade to Druid 0.20.1. Whenever possible, network
access to cluster machines should be restricted to trusted hosts only.
Credit:
This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
Apache Druid includes the ability to execute user-provided JavaScript
code embedded in various types of requests. This functionality is
intended for use in high-trust environments, and is disabled by
default. However, in Druid 0.20.0 and earlier, it is possible for an
authenticated user to send a specially-crafted request that forces
Druid to run user-provided JavaScript code for that request,
regardless of server configuration. This can be leveraged to execute
code on the target machine with the privileges of the Druid server
process.
Mitigation:
Users should upgrade to Druid 0.20.1. Whenever possible, network
access to cluster machines should be restricted to trusted hosts only.
Credit:
This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
David Glasser
Jan 29, 2021, 6:28:55 PM1/29/21
to d...@druid.apache.org, druid...@googlegroups.com
What is the oldest Druid version with this vulnerability?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-uns...@druid.apache.org
> For additional commands, e-mail: dev-...@druid.apache.org
>
> To unsubscribe, e-mail: dev-uns...@druid.apache.org
> For additional commands, e-mail: dev-...@druid.apache.org
>
Jihoon Son
Jan 29, 2021, 6:32:03 PM1/29/21
to Druid User, d...@druid.apache.org
I think all Druid versions except 0.20.1 can potentially have the bug.
> --
> You received this message because you are subscribed to the Google Groups "Druid User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CAOz3OdtkB1LdzCWo_nyBpUoDgD%2BvRby%3DaRrkNzzqvRgid_5Www%40mail.gmail.com.
> You received this message because you are subscribed to the Google Groups "Druid User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CAOz3OdtkB1LdzCWo_nyBpUoDgD%2BvRby%3DaRrkNzzqvRgid_5Www%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages