I wanted to add a few more details about this advisory, in the hopes that
it will be helpful to people that are upgrading.

Here's a link to the relevant docs about the new properties:
https://druid.apache.org/docs/latest/configuration/index.html#ingestion-security-configuration

And the most secure setup for these properties is:

druid.access.jdbc.enforceAllowedProperties = true
druid.access.jdbc.allowUnknownJdbcUrlFormat = false

If you aren't reading any data from JDBC into Druid, you should add both of
these to your common.runtime.properties. If you are reading data from JDBC,
then you need to understand a little bit about how the properties work to
get a secure setup that won't break your JDBC workflow.

The first property enforces jdbc property validation for mysql and
postgresql. This is enough to block the MySQL-based attack mentioned in
this CVE. That's because the attack relies on setting a specific property a
specific way, which will be blocked by the validation. To set this without
breaking your workflow, make sure that any properties you use in JDBC urls
are added to the cluster-wide druid.access.jdbc.allowedProperties whitelist.

The second property disables connections to other kinds of databases, where
we don't have code to validate properties. (Each driver's URL format is
unfortunately a bit different, so Druid can't understand what properties
are in use for arbitrary JDBC drivers.) This doesn't prevent any known
attacks, because the only one we know of specifically exploits the MySQL
driver. The purpose of this setting is to prevent any similar and
currently-unknown attacks that may involve other jdbc drivers. We provide
this option in case you are feeling paranoid.

Setting these properties may impact legitimate use cases. For example,
legitimate use cases would be impacted if you were using mysql or
postgresql properties that aren't on the default allow list, or if you were
using jdbc connections to database types other than mysql and postgresql.
We didn't want to break these things by surprise in a patch release, so the
most secure setup isn't enabled by default. In a future major version we'll
switch the defaults to the more secure ones.

On Mon, Mar 29, 2021 at 12:22 PM Jihoon Son <jihoon...@apache.org> wrote:

> Severity: Medium
>
> Vendor:
> The Apache Software Foundation
>
> Versions Affected:
> Druid 0.20.1 and earlier
>
> Description:
> Druid allows users to read data from other database systems using
> JDBC. This functionality is to allow trusted users with the proper
> permissions to set up lookups or submit ingestion tasks. The MySQL
> JDBC driver supports certain properties, which, if left unmitigated,
> can allow an attacker to execute arbitrary code from a
> hacker-controlled malicious MySQL server within Druid server
> processes.
>
> Mitigation:
> Users should upgrade to Druid 0.20.2 and enable new Druid
> configurations to mitigate vulnerable MySQL JDBC properties.
> Whenever possible, network access to cluster machines should be
> restricted to trusted hosts only.
> Ensure that users have the minimum set of Druid permissions necessary,
> and are not granted access to functionality that they do not require.
>
> Credit:
> This issue was discovered by fantasyC4t from the Ant FG Security Lab.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@druid.apache.org
> For additional commands, e-mail: dev-h...@druid.apache.org
>
>

Reply via email to