Apache Druid Remote Code Execution Vulnerability CVE-2021-25646

Description

Introduction

Apache Druid is a distributed data processing system that supports real-time multi-dimensional OLAP analysis. Druid provides low latency (real-time) data ingestion, and the most common scenario for Druid is the multi-dimensional and flexible OLAP analysis, due to big data background. Druid also supports pre-aggregation ingestion and aggregation analysis of data, based on time stamps, so some users use it in scenarios with time-series data processing and analysis.

Summary

On Feb 1, 2021, the Sangfor Security Team verified an Apache Druid remote code execution vulnerability CVE-2021-25646, classified as critical. The vulnerability is due to a lack of authentication in Apache Druid by default. Attackers can directly construct malicious requests to execute arbitrary code and control servers.

Impact

Apache Druid is a data store designed for high-performance OLAP queries fragment analysis on large data sets. It is also used as a data store for GUI analysis applications, or as a back-end for high-concurrency APIs that require fast aggregation. Apache Druid is often used for clickstream analysis (web and mobile analysis), network telemetry analysis (network performance monitoring), server index storage, supply chain analysis (manufacturing index), application performance measurement, digital marketing/advertising analysis, business intelligence and online analytical processing. There are more than 30,000 available hosts in the world that are potentially vulnerable to remote code execution.

Affected versions:

Apache Druid version earlier than 0.20.1

Timeline

Jan 27, 2021 Apache Druid released a security bulletin.
Feb 1, 2021 Sangfor FarSight Labs detected the attack information of this vulnerability and released a vulnerability alert.

Solution

Apache has released a new version to fix this vulnerability. Please download and install it from the following link: https://github.com/apache/druid/releases/tag/druid-0.20.1