====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN059
_____________________________________________________________________

DATE                : 01/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Apache Druid versions prior to
                                           0.20.1.

=====================================================================
http://mail-archives.apache.org/mod_mbox/www-announce/202101.mbox/%3cCACZfFK7WRWOfZ_3cZxXVE2nnGj73bBMBhND5gF=LzBeyfGxvpA@mail.gmail.com%3e
_____________________________________________________________________

Vendor:
The Apache Software Foundation

Product:
Apache Druid

Versions Affected:
Apache Druid 0.20.0 and earlier


Description:
Apache Druid includes the ability to execute user-provided JavaScript
code embedded in various types of requests. This functionality is
intended for use in high-trust environments, and is disabled by
default. However, in Druid 0.20.0 and earlier, it is possible for an
authenticated user to send a specially-crafted request that forces
Druid to run user-provided JavaScript code for that request,
regardless of server configuration. This can be leveraged to execute
code on the target machine with the privileges of the Druid server
process.


Mitigation:
Users should upgrade to Druid 0.20.1. Whenever possible, network
access to cluster machines should be restricted to trusted hosts only.


Credit:
This issue was discovered by Litch1 from the Security Team of Alibaba
Cloud.


References:
https://lists.apache.org/thread.html/rfda8a3aa6ac06a80c5cbfdeae0fc85f88a5984e32ea05e6dda46f866%40%3Cdev.druid.apache.org%3E


=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================