You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@apache.org by Jihoon Son <ji...@apache.org> on 2021/01/30 00:31:21 UTC

Subject: [CVE-2021-25646] Apache Druid remote code execution vulnerability

Vendor:
The Apache Software Foundation

Product:
Apache Druid

Versions Affected:
Apache Druid 0.20.0 and earlier

Description:
Apache Druid includes the ability to execute user-provided JavaScript
code embedded in various types of requests. This functionality is
intended for use in high-trust environments, and is disabled by
default. However, in Druid 0.20.0 and earlier, it is possible for an
authenticated user to send a specially-crafted request that forces
Druid to run user-provided JavaScript code for that request,
regardless of server configuration. This can be leveraged to execute
code on the target machine with the privileges of the Druid server
process.

Mitigation:
Users should upgrade to Druid 0.20.1. Whenever possible, network
access to cluster machines should be restricted to trusted hosts only.

Credit:
This issue was discovered by Litch1 from the Security Team of Alibaba Cloud.

References:
https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E