You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@druid.apache.org by Jihoon Son <ji...@apache.org> on 2021/01/29 23:31:47 UTC
Re: [druid-user] Re: CVE-2021-25646: Authenticated users can override
system configurations in their requests which allows them to execute
arbitrary code.
I think all Druid versions except 0.20.1 can potentially have the bug.
On Fri, Jan 29, 2021 at 3:28 PM David Glasser <gl...@apollographql.com> wrote:
>
> What is the oldest Druid version with this vulnerability?
>
> On Fri, Jan 29, 2021 at 10:03 AM Jihoon Son <ji...@apache.org> wrote:
> >
> > Description:
> >
> > Apache Druid includes the ability to execute user-provided JavaScript
> > code embedded in various types of requests. This functionality is
> > intended for use in high-trust environments, and is disabled by
> > default. However, in Druid 0.20.0 and earlier, it is possible for an
> > authenticated user to send a specially-crafted request that forces
> > Druid to run user-provided JavaScript code for that request,
> > regardless of server configuration. This can be leveraged to execute
> > code on the target machine with the privileges of the Druid server
> > process.
> >
> > Mitigation:
> >
> > Users should upgrade to Druid 0.20.1. Whenever possible, network
> > access to cluster machines should be restricted to trusted hosts only.
> >
> > Credit:
> >
> > This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@druid.apache.org
> > For additional commands, e-mail: dev-help@druid.apache.org
> >
>
> --
> You received this message because you are subscribed to the Google Groups "Druid User" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CAOz3OdtkB1LdzCWo_nyBpUoDgD%2BvRby%3DaRrkNzzqvRgid_5Www%40mail.gmail.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@druid.apache.org
For additional commands, e-mail: dev-help@druid.apache.org