Apache Druid 漏洞列表

Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server. app="APACHE-Druid"

In the Druid ingestion system, the InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

Apache Druid default login information (admin/admin) was discovered. FOFA: title="druid monitor"

app="Apache Druid"

Apache Druid存在服务器请求伪造漏洞，攻击者可以直接访问的内部系统。

Apache Druid is susceptible to remote code execution because by default it lacks authorization and authentication. Attackers can send specially crafted requests to execute arbitrary code with the privileges of processes on the Druid server.

Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of the Druid server process. This is not an elevation of privilege when users access Druid directly, since Druid also provides the Local InputSource, which allows the same level of access. But it is problematic when users interact with Druid indirectly through an application that allows users to specify the HTTP InputSource, but not the Local InputSource. In this case, users could bypass the application-level restriction by passing a file URL to the HTTP InputSource. This issue was previously mentioned as being fixed in 0.21.0 as per CVE-2021-26920 but was not fixed in 0.21.0 or 0.21.1.

The vulnerability has the potential to enable a remote attacker with authentication to run any code on the system. This is due to unsafe deserialization that occurs during the configuration of the connector through the Kafka Connect REST API

Server-Side Request Forgery (SSRF), Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Apache Druid.This issue affects all previous Druid versions.When using the Druid management proxy, a request that has a specially crafted URL could be used to redirect the request to an arbitrary server instead. This has the potential for XSS or XSRF. The user is required to be authenticated for this exploit. The management proxy is enabled in Druid's out-of-box configuration. It may be disabled to mitigate this vulnerability. If the management proxy is disabled, some web console features will not work properly, but core functionality is unaffected.Users are recommended to upgrade to Druid 31.0.2 or Druid 32.0.1, which fixes the issue.

Apache Druid 是一个开源的分布式数据存储和分析系统。它设计用于处理大规模的实时数据，并提供快速的交互式查询和分析。Apache Druid 使用了存在漏洞的 Kafka Connect，攻击者可访问Kafka Connect Worker，且可以创建或修改连接器时，通过设置sasl.jaas.config属性为恶意类，进而可导致JNDI注入漏洞，可通过该漏洞在服务器端任意执行代码，写入后门，获取服务器权限，进而控制整个web服务器。

Apache Druid 前台存在远程代码执行漏洞，默认不需要授权，没有JDK版本限制，Apache Druid 全版本受到影响

Log4j是Apache的一个开源项目，该漏洞产生的原因在于Log4j在记录日志的过程中会对日志内容进行判断，如果内容中包含了${，则Log4j会认为此字符属于JNDI远程加载类的地址。ApacheDruid 使用了该项目进行记录日志，攻击者通过构造恶意的代码即可利用该漏洞，从而导致服务器权限丢失

在 Druid 摄取系统中，InputSource 用于从某个数据源读取数据。HTTP InputSource 允许经过身份验证的用户以 Druid服务器进程的权限从其他来源读取数据。当用户通过允许用户指定 HTTP InputSource 而不是 Local InputSource 的应用程序间接与Druid 交互时，用户可以通过将文件 URL 传递给 HTTP InputSource 来绕过应用程序级别的限制，从而造成任意文件读取。

Apache Druid 是用Java编写的面向列的开源分布式数据存储，旨在快速获取大量事件数据，并在数据之上提供低延迟查询。近日，Apache Druid官方发布安全更新，修复了由长亭安全发现的CVE-2021-25646 Apache Druid 远程代码执行漏洞。由于Apache Druid 默认情况下缺乏授权认证，攻击者可直接构造恶意请求执行任意代码，控制服务器，风险极大。

Apache Druid 包括执行用户提供的 JavaScript 的功能嵌入在各种类型请求中的代码。此功能在用于高信任度环境中，默认已被禁用。但是，在Druid 0.20.0 及更低版本中，经过身份验证的用户可以构造传入的json串来控制一些敏感的参数发送恶意请求，利用 Apache Druid漏洞可以执行任意代码。